Will GDPR Kill WHOIS?

Slashdot reader monkeyzoo shares the Register's report on a disturbing letter sent to ICANN: Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force... ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number. ICANN has already acknowledged it has no chance of doing so... The company warns that without being granted a special temporary exemption from the law, the system will fracture. ["Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law," ICANN warns.]
"ICANN had made the concept of a moratorium the central pillar of its effort to become compliant with the law," writes the Register. "But its entire strategy was built on a fantasy."

Thursday the EU's data protection advisory group told the site that there's no provision in the GDPR for an "enforcement moratorium", and the Register adds that the EU's data protection advisory group "is clearly baffled by ICANN's repeated requests for something that doesn't exist."

Probably not kill

[Z00L00K]

But it may make it change into the need to access the registrar to get further information whenever needed.

Re:Probably not kill

[Mr+D+from+63]

Blockchain to the rescue!

Re:Probably not kill

[Joce640k]

Let's hope so.

At the moment the whois database is:
a) A free mailing list for spammers
b) An excuse for ISPs to charge extra for "private listings".

If this law can change the situation then it gets my vote.

Re:Probably not kill

[TechyImmigrant]

This.

Be sure to register your domains with European registrars.

Re:Probably not kill

[lucm]

An excuse for ISPs to charge extra for "private listings"

Try AWS Route 53. $11 domains including privacy.

It's best if you use your own DNS service though (or the one from Office365 or Linode) because otherwise AWS charges you $0.50/zone per month.

Re:Probably not kill

That has nothing to do with anything.

Re: Probably not kill

I use Softlayer Secondary DNS in front of my own DNS server (running PowerDNS). Best of both worlds and free if you're a softlayer customer.

Thanks for the tip!

Re:Probably not kill

[Khyber]

"Try AWS Route 53. $11 domains including privacy."

And when that domain is found to be conducting illegal activities? I guess Amazon would then need to be held responsible for aiding and abetting.

Re:Probably not kill

[Antique+Geekmeister]

Please allow me to disagree. The "free mailing list for spammers" is for data that is typically already accessible by many other means, all of which are already in use by spammers.

Also note that most domains are not legitimate. Most are owned by domain squatters. In particular, they are owned by Network Solutions, which pre-registers all unused domains that are looked up from their servers, including their "whois" services and held hostage to prevent the people who sought the domain from registering it anywhere but through Network Solutions. The practice is sometimes known as "domain frontrunning", but I would certainly qualify it as cyber squatting. Network Solutions, and the domain registrars for the more than 1000 current top level domains, can do this without paying any fees for the 4-day holding period.

Other sources of fraudulent domains, eased by current policies, are fomain squatting for fraud. It's been useful to be forced to provide valid contact information, since a business owner can be contacted and served with a court order to cease operations, and a fraud can be reported for fraudulent contact information and get their domain canceled. It's also been useful to contact domain owners to notify them of network or service difficulties that are otherwise difficult to report: "send me email" or "go to the website" does not work when the site's DNS service has failed for any reason, or web servers are down. I've certainly used it that way and it's been invaluable to reach business partners in the middle of the night, when even their own alert system is disabled by a network issue.

Re:Probably not kill

Which is why, after some sort of sales pitch or major media article read that can be cited to upper management, some non-tech person will suggest the idea.

Re:Probably not kill

[Pentium100]

Actually no. When that domain is found to be conducting illegal activities, the police will show a court order to Amazon asking to identify the registrant.

It is the same procedure that is used now to identify people based on their IP addresses. There is no public directory of IP address vs subscriber, however, if you post a bomb threat as a comment on some site, you may get a visit from the police anyway.

Re:Probably not kill

I work for a registry and can confirm that the best way to have a domain put on hold or suspended is to complain about it's incorrect information in WHOIS. When someone calls about 'unlawful domain' because of content of a website, then I tell them to get the police to shut down the website. Unless if the WHOIS info is wrong or the domain name itself breaks the law, they can get stuffed.

Re:Probably not kill

More than 99% of our spam comes from domains with valid SPF records provided by European domain registrars. Fuck the Europeans and their GDPR - they're making it even easier for spammers.

Re:Probably not kill

[SuperDre]

how can blockchain come to the resque? as it's not allowed under the GDPR to contain any information publicly on the actual person who owns the site.

Re:Probably not kill

[lucm]

The point is that most registrars charge an extra fee for privacy, usually around $10, so it doubles the price of the domain. Doesn't matter if you operate a handful of domains, but if you have many, it adds up.

Also domain privacy is a must, if only to cut down on the "we can seo you web-site for teh google" spam and various scams.

Re:Probably not kill

[Gonoff]

More than 99% of our spam comes from domains with valid SPF records provided by European domain registrars. Fuck the Europeans and their GDPR - they're making it even easier for spammers.

Most of my spam comes, either from Russia or the USA. The Russians favourite seems to be either dodgy finance, breast expansion or penis extension. The US spam wants me to by my medicine from Canada but they suggest some iffy finance as well.

Russia, the market of people who want breast extensions and penis enlargement is pretty limited. As you have my name from somewhere, you will have noticed it is a male one. Males rarely want bigger moobs!

USA, please realise that sending things about buying medicine to the developed world is pointless as having a health care system is one of the things that makes somewhere actually be developed!

Both of you, Your financial spam needs work. FYI, I am over 12 - a common feature of people with email around here.

Re:Probably not kill

Network Solutions, which pre-registers all unused domains that are looked up from their servers...

How hard would it be to write an app, or even a browser add-on that looked up random strings of letters off their system? We could spam the cyber sitters!

Re:Probably not kill

[Mr+D+from+63]

Well, I was just kidding, as blockchain is the preferred go to media solution. However, to your point, aren't there ways to employ it anonomously?

So.. Yes.

So.. Yes.

and GDPR is?

No explanation of what the law is, or what provision that ICANN is in violation of... WTF kind of summary is this?

Re: and GDPR is?

A pretty good summary of business in the EU?

Re:and GDPR is?

[AmiMoJo]

The General Data Protection Regulation is a new set of rules governing the use of personal data in the EU. Among other things, it doesn't allow personal data to be shared without good reason, and ICANN makes names, addresses and other contact details available in the WhoIs database.

These rules have been on the horizon for years. It's not like they were suddenly announced yesterday. ICANN has had a long, long time to find a solution.

In any case, the system has been broken for decades anyway, because a lot of domains are registered behind privacy shield services, where a company registers the domain on behalf of their customer without revealing that person's information.

Re:and GDPR is?

[Joce640k]

No explanation of what the law is, or what provision that ICANN is in violation of... WTF kind of summary is this?

If you don't know how to use google then you probably shouldn't be reading this story.

https://www.cennydd.com/writin...

Re:and GDPR is?

[HiThere]

They've been on the horizon, but exactly what form they would take has been unclear. So it's reasonable that ICANN can't.

OTOH, the general tenor of the forthcoming regulation has been clear for a long time, and they should have been aware of the *kind* of change that was being requested. That they didn't stop promiscuously sharing personal information is clear sign that they didn't *want* to comply.

My general feeling is that if ICANN only needed to make detail corrections to a policy that was attempting to comply with what they knew were the desired goals, then the enforcers would probably be more lenient. But since ICANN was stonewalling, they saw not reason to be flexible. Enforcement of laws is almost always discretionary. This is often necessary, and is often used for political suppression, but it's still almost always there. That the EU is saying it's not going to give time to adapt is probably a clear sign that they feel ICANN has been ignoring more gentle requests.

Re:and GDPR is?

the GDPR content has been pretty clear for a very long time, to be precise April 2016. (then it was voted on by the European Parliament).

It has been clear that it will have impact on Companies and services, especially when you deal with personal data.

ICANN has just hoped that the Law will not apply to them - as so many companies that offer Goods and Services in Europe.

Sad for them now. 4% of your global turnover is the punishment. if you have not reacted by now you deserve that.

Re:and GDPR is?

[AmiMoJo]

It was finalized two years ago.

Re:and GDPR is?

[Joce640k]

They've been on the horizon, but exactly what form they would take has been unclear. So it's reasonable that ICANN can't.\

If you'll bother to read the summary you'll see that ICANN has had its hands over its ears and been going "I'm not listening, I'm not listening" for the last couple of years.

The law isn't hard to understand: It simply says "no!" to anybody who thinks personal data is something to be used to make money.

Publishing a database like "whois"? Not allowed.

Re:and GDPR is?

[physicsphairy]

You can also google these news stories without ever having to visit Slashdot. The reason for coming here is for curated information which fosters discussion. The summary provides the minimum information to understand the nature of the discussion and links to resources containing the fuller details. I would have to agree that this summary has failed to do that. The fact it's possible to work around the summary's deficiencies with a little extra labor does not make those deficiencies non-existent.

What makes more sense -- a million readers having to look up what GDPR is, or one person defining it?

Re:and GDPR is?

it doesn't allow personal data to be shared without good reason

Whois is a good reason, as service that has a well-defined purpose? If Whois is illegal, then so are the publicly available company and the related tax registries by the same logic.

Re:and GDPR is?

[Aighearach]

I pay more to hide that information than I pay for the domains, so this sounds like a feature for Europeans to me.

If a person actually wants to post information about a domain online, they can use an "about" or "contact" page. This isn't the 1990s, where a website might be down and the company didn't notice for a week until somebody called the ICANN contact. ;)

ICANN can't "find a solution," there is no solution. They're not supposed to be a decision-making body, they're supposed to be a management body that coordinates maintenance. That makes this the EU's problem; they're the decision-makers who did a thing that contradicts the other thing they don't control.

The real point is that this isn't something ICANN even does; they only handle how the different registrars coordinate to implement and maintain the database. Each registrar is the one actually managing individual entries, not ICANN. They don't even have any sort of authority with which to do anything. That's why ICANN warns that registrars will be implementing varying policies depending on each of their interpretations of the law.

Re:and GDPR is?

ICANN are just lackys for USA business special interests that make money off marketing data. This is why they can't fix their business. If you would read the article, you would see that they submitted a bunch of letters from business partners as their justification to the EU. The one letter from their "non-commercial" partners that they submitted basically agree with the EU that ICANN needed to fix how they operate.

Re:and GDPR is?

[monkeyzoo]

As the "submitter" I have to agree. The summary published actually doesn't contain anything I submitted, nor did I submit anything that it contains. So I guess they editorialized it extensively, which is fine. But it still bears my name, which is weird.

Re:and GDPR is?

[monkeyzoo]

Importantly, Slashdot's editors failed, IMO, to maintain a key point in this submission, that ICANN has been basically negligent and delusional in ignoring this pending law and failing to take any action in the TWO YEARS since the law was passed. And then at the last minute they asked for a moratorium and said otherwise they won't be able to adhere to the law. If you read the many months worth of coverage that The Register has published on this, it is a mindblowing story of incompetence and irresponsibility by ICANN. (Read the Register link in the OP, and the related articles will guide you.)

Submitted:

In a letter sent to DNS overseer ICANN, Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force.

ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number.

ICANN has already acknowledged it has no chance of doing so. The company warns that without being granted a special temporary exemption from the law, the system will fracture, perhaps even resulting in the Whois service being turned off completely while a replacement was developed.

Critics point out that ICANN has largely brought these problems on itself, having ignored official warnings from the Article 29 Working Party for nearly a decade, and only taking the GDPR requirements seriously six months ago when there has been a clear two-year lead time.

European agencies responded and tore ICANN's plan to shreds, pointing out that it needs to be much more precise and to include both compliance and auditing functions. Critically, however, it did not address ICANN's request for a moratorium.

Even the idea of a moratorium appears to have been invented by ICANN. This is no evidence of a similar request from any other industry, and the GDPR is, after all, a globally applicable law that affects everyone.

---
ICANN gives domain souks permission to tell it the answer to Whois privacy law debacle
https://www.theregister.co.uk/...

As GDPR draws close, ICANN suggests 12 conflicting ways to cure domain privacy pains
https://www.theregister.co.uk/...

Whois is dead as Europe hands DNS overlord ICANN its arse
https://www.theregister.co.uk/...

US government weighs in on GDPR-Whois debacle, orders ICANN to go probe GoDaddy
https://www.theregister.co.uk/...

ICANN takes Whois begging bowl to Europe, comes back empty
https://www.theregister.co.uk/...

Europe fires back at ICANN's delusional plan to overhaul Whois for GDPR by next, er, year
https://www.theregister.co.uk/...

https://www.icann.org/en/syste...

https://www.icann.org/news/ann...

Re: and GDPR is?

Try, a pretty good summary of Slashdot's editorial diligence

Re:and GDPR is?

[monkeyzoo]

It seems obivous that ICANN was willfully ignoring reality. Various passages from The Register's coverage of the years' long unfolding:

ICANN has done its best to ignore [GDPR] for a number of years, relying on the fact it is a US corporation and that the American government is strongly supportive of the Whois system.

But then the companies that fund the organization started explaining that it was a real problem. Many have their headquarters or subsidiaries in Europe and GDPR imposes fines of up to €20 million or 4 per cent of turnover, whichever is larger, if companies are not in compliance.

So in response ICANN decided to commission a third-party to put everyone's minds at rest. But that expert came back and told ICANN the same thing: you have to sort this out now.

The problem really hit home when registries under contract with ICANN started rejecting the organization's authority. ICANN's legal department sent threatening letters to two internet registries based in Europe that said they won't run a Whois service. ICANN informed them it was in their contract.

They got back: that part of the contract is "null and void" because it conflicts with European law. It's safe to say that woke the Californian organization up.

Several months later, ICANN came up with a quick fudge: it would not impose its contractual obligations if companies sent it a letter explaining what they intended to do to fulfill the new European regulations. The idea was that ICANN would then use these models to devise its own system, which it would then ask everyone to apply.

When ICANN's staff and board realized it was going to be impossible to hit the May 25 deadline, it decided – by itself – that the best solution was simply to ask the DPAs for a delay.

And somehow – despite those authorities giving no indication that such an approach was even possible – the idea of a moratorium became the central component of ICANN's efforts to become compliant with the law.

In its summary of the subsequent meeting with WP29 earlier this week, US-based ICANN makes no mention of its core request for a moratorium and when we asked the organization whether it had made the request and what response it had received, it responded that it was "provided feedback from the DPAs and agreed there remain open questions."

What we now know is that the DPAs were much more blunt in their response: "The GDPR does not allow national supervisory authorities to create an 'enforcement moratorium' for individual data controllers."

Amazingly, it isn't just this concept of a moratorium where ICANN has deluded itself into believing a different version of reality.

Despite the clear guidance of the DPAs and even of its own external legal counsel that it specifically hired to advise it on how to become GDPR compliant, ICANN has also persuaded itself that it was going to be able to publish people's email addresses.

Re:and GDPR is?

[urbanriot]

One person linking to an explanation with a brief summary makes sense, similar to informative posts by other posters.

Re: and GDPR is?

[sabri]

Try, a pretty good summary of a NANOG thread that's weeks old.

Re:and GDPR is?

The law isn't hard to understand: It simply says "no!" to anybody who thinks personal data is something to be used to make money.

So Facebook is going to stop tracking, collecting, analysing, and selling user data? Ha!

Re:and GDPR is?

[dgatwood]

There's a quick solution to all of this. ICANN and IANA jointly run the root servers. Announce that any TLD registrar that doesn't provide WHOIS service will no longer be listed, and see how many days it takes the EU to fix their law.

If there is a conflict between the GDPR and WHOIS, then contrary to popular belief here on Slashdot, this is a flaw in the GDPR. As far as I know, even in the EU, people are not allowed to do business as a fictitious entity without registering their identity in a way that someone defrauded can look them up. The WHOIS database is the Internet equivalent of that. It serves an important role in the governance of the Internet, particularly with regards to copyright enforcement, but also with regards to libel laws, etc.

What the EU has done, with GDPR, is try to override the laws of many, many other countries whose laws require WHOIS to exist in one form or another, and to tear down one of the foundational pillars of Internet governance itself.

IMO, the nuclear response is the correct one. If, after GDPR goes into effect, registrars drop WHOIS, the Internet as a whole should drop all domains from that registrar from being visible anywhere outside of Europe. If they don't want domains to have to identify their owners, they can feel free to create their own little ultra-anonymous hell, cut off from the rest of the world. If they want the rest of the world to be able to see their websites, keeping their contact information up-to-date publicly is one of the requirements.

More to the point, everyone who owns (rents) a domain name knows this. The GDPR was intended to prevent companies from using people's personal information without their knowledge or consent. No domain owner should be surprised by the fact that WHOIS exists or by the fact that his or her information is being used in this way, because it was made abundantly clear in the ICANN domain registration agreement that he or she had to sign prior to registering a new domain name.

Further, ICANN-based registrars typically even go beyond the requirements of GDPR by regularly reminding registrants of their contractual obligation to keep their information in WHOIS up-to-date, lest their domains be confiscated.

So either the people reading the GDPR are misinterpreting it grossly or the GDPR is a train wreck of a law that attempts to force the will of a whiny group of bureaucrats over the objections of everyone involved in Internet governance. If it is the first, then the registrars will ignore the GDPR with regards to WHOIS, and nothing will change. I strongly suspect that this is the case, and that this is all much ado about nothing.

That said, if it is the latter, then the right thing to do is to segregate the EU into its own private Internet until such time as it agrees to comply with the rules of Internet governance. Their choice.

Re:and GDPR is?

[Pentium100]

What is the purpose of whois though? To allow the registrars to charge extra for the privacy option?

For example - whois includes the full name of a "contact person", even if the domain belongs to a company. There is absolutely no need for it - you can have email and an office telephone number, but there is no need to publish a name.

Re: and GDPR is?

Yes, actually. For European citizens and IPs anyway, yes. Hopefully this is the beginning of the end of Facebook and that entire lot of privacy destroying assholes who make money buying up, combining, cross matching, and reselling personal information that isn't theirs to have. Even of people who aren't Facebook users.

Re: and GDPR is?

Iâ(TM)d be quite happy to be cut off from the existing broken Whois system. If EU based registrars are dropped, then we see services replaced by ones in the EU. The rest of the world will still want to do business in EU, so we will see fragmentation and a shift in the balance of power away from the US. The EU is big enough for this to happen. Game over ICANN (finally)

Re:and GDPR is?

If you think splitting the internet into GDPR-compliant and non-GDPR-compliant sections is a good idea - and this is what your "idea" amounts to - then you are retarded. ICANN, like far too many US companies, simply thought they could ignore the rules due to good old American Exceptionalism, hence there being absolutely no effort to either a) ascertain how to comply or b) lobby, or at least meet with, the relevant EU body to thrash out a solution. An EU internet would be as pointless as a US internet, though it does have a certain appeal in that the EU one would have less right wing nutjobs.

Re:and GDPR is?

[AvitarX]

Does icann make any money publishing WHOIS?

Re: and GDPR is?

Nice n all except anyone you'd really need to look up in Whois has bogus contact info or has a privacy setting that masks their info.

Re:and GDPR is?

[Khyber]

"The summary published actually doesn't contain anything I submitted, nor did I submit anything that it contains."

I think it's about time a lawyer got involved because the editorialization has gone beyond anything reasonable. This literally amounts to them using your idea, your story, but literally everything stated is put into your mouth as if you had actually said it when you did not, ever.

Especially when the comments and such are supposed to be owned by the poster, which means they could've said some actionable and libelous shit, and been "That's how he submitted it." Now your ass is on the hook for their editorialization, which contains none of your original content.

No, this runs too close to being akin to identity theft in my book, and really msmash and anyone else on /. staff should probably consult with their lawyers on the legalities of what I just discussed, because this is serious. And they should probably make a full-out pinned story/apology for such bullshit.

Re:and GDPR is?

[Pentium100]

A lot of registrars are already non-compliant with ICANN's wishes to have my name, home address, telephone number and email address listed publicly for anyone to find and send "offers" to. Those evil registrars offer a service, where they remove my data from the public record, for a fee.

The only difference for GDPR is that the "WHOIS privacy" service will have to be free and on by default (as I understand it, there could be further limits as to what data the registrar can keep in its private database). If I am doing something illegal, the police can contact the registrar and get my personal information. There is absolutely no need for my name, home address, email and telephone number to be listed in public. If you think I have committed a crime, contact the police and they will contact the registrar.

WHOIS is like a phone book. I choose to not get listed in either. However, if I call to say that I have planted a bomb, then sure as hell the police will be able to find out my name and address by asking the telephone company.

Re:and GDPR is?

you are really not going to have anything of value to contribute to the discussion if this is the first time you've heard of GDPR or WHOIS.

Re:and GDPR is?

It's worse than that, they were told WHOIS wouldn't be compliant over a decade ago

Re:and GDPR is?

The registrars make money by charging extra for private listings. To be compliant all listings would be private by default.

Re: and GDPR is?

Congratulations Europe, you just outlawed the phone book. White pages and yellow pages both.

Re:and GDPR is?

[pjt33]

GDPR doesn't prohibit courts from issuing subpoenas ordering registrars to identify domain owners.

Re:and GDPR is?

[SuricouRaven]

Whois is a relic of the early days of the internet, when things were small and simple, and most conflicts were resolved engineer-to-engineer with a phone call or an email. The contact information was there to allow this sort of communication - often in the form of 'logging hack attempts from your server, someone probably compromised it' or 'Fix your bloody BGP announcements!' There was no point involving anyone else - the rest of the company barely understood what a computer did.

That was before there were millions of dollars at stake and lawsuits were commonplace. These days any large company is going to want all inter-company communications to go through customer services coming in and legal going out. They certainly won't want their engineers trying to directly contact the engineers of another company. Engineers tend to be distressingly honest at times, and what they see as a harmless explanation, a lawyer might see as an admission of error that can be used in a lawsuit.

Re:and GDPR is?

[thegarbz]

ICANN and IANA jointly run the root servers. Announce that any TLD registrar that doesn't provide WHOIS service will no longer be listed, and see how many days it takes the EU to fix their law.

Yes because we've all seen how quickly the EU bends over to the whim of Americans. /sarcasm

If there is a conflict between the GDPR and WHOIS, then contrary to popular belief here on Slashdot, this is a flaw in the GDPR.

Why? New time, new law. Something acceptable in the past, not acceptable now and incompatible with some service no one uses anymore doesn't make it "flawed". Specifically take note of the last part. WHOIS is a worthless database full of garbage entries. Hell my own domain's WHOIS entry isn't complaint with ICANN's rules and hasn't been for the past 15 years.

Re:and GDPR is?

Given company hysterics and male-baiting ... no white-guy uses GOOGLE for anything ... except distributing nuudlings that fuck with his ex-girlfriend.

Re: and GDPR is?

Congratulations Europe, you just outlawed the phone book. White pages and yellow pages both.

You can opt out of the phone book for free. Same is required with Whois now under GDPR. Bravo Europe!

Re:and GDPR is?

[Goetterdaemmerung]

GDPR doesn't prohibit courts from issuing subpoenas ordering registrars to identify domain owners.

There is no court subpoena if you can't identify a defendant.

Re:and GDPR is?

I see totally the opposite. Creating closed interfaces such as this will increase online criminal activity by stopping people from being able to track and report online abuse.

I expect these laws to not be taken seriously and pretty much repealed. I see this as a shining example of yet again, legislators not understanding how the Internet works. This needs to be done per industry segment a piece at a time. This approach will simply end in dismal failure.

(Just like everything the EU dreams up LOL).

Re: and GDPR is?

[guruevi]

Whois does more than just return registration information. It is the database of domain names. Without it you cannot ascertain whether what your DNS return values are true or whether or not a domain is unique.

Re:and GDPR is?

Whois is a relic of the early days of the internet, when things were small and simple, and most conflicts were resolved engineer-to-engineer with a phone call or an email. The contact information was there to allow this sort of communication

Same size of one: in the past year I've contacted someone via WHOIS many dozens of sometimes with a fairly high success rate in resolving an issue.

In once instance someone's point of sale system had been infected with spamming malware, and by me contacting them (because I noticed probing in our mail logs), the folks were able to clean things up. (And hopefully better their security.)

I often don't bother contact folks in CN or RU (lack of response in the past), but most other operators give some kind of reply, and often it's not just automated, but a real person. At $WORK we do sometimes get spammed from our WHOIS contact information, but it's not very often.

If WHOIS goes away, I would certainly miss it.

Re:and GDPR is?

[Frobnicator]

Those are third parties to ICANN. Private parties provide a technical contact, and that party contacts the actual technical contact.

The system requires the names for technical contacts to be published at the very least.

Re: and GDPR is?

[Z00L00K]

GDPR is a big issue for anyone collecting statistics like ad networks. Just look it up on wikipedia.

The impact on whois is really a marginal thing.

Re:and GDPR is?

[Pentium100]

Then how do defendants get identified by their IP addresses? There is no public IP - subscriber database. You have to ask the ISP to provide the information.

What is the difference here?

Re:and GDPR is?

[slew]

GDPR doesn't prohibit courts from issuing subpoenas ordering registrars to identify domain owners.

There is no court subpoena if you can't identify a defendant.

IANAL, but I believe there is a way to do this.

You can write a subpoena for an unknown person (e.g, a John Doe with partial information (like a domain name) and submit it to the court.

If approved by the court, you can take the subpoena to the registrar for that domain name and as part of the discovery process attempt to compel the registrar to release the name.

If the registrar doesn't turn over the information associated with the domain name, they are in violation of a court order. I believe the court can find the registrar in contempt of court.

Re: and GDPR is?

[thegarbz]

And WHOIS as a database system isn't at all a problem, only the rules for implementation as currently written by ICANN are.

e.g. the WHOIS system for Sweden is fully in compliance with the GDPR because it doesn't contain any personal names or details of people, but rather points to the registra, and still happily serves all the purposes you list.

Re:and GDPR is?

[AmiMoJo]

GDPR doesn't affect things like company registration and ownership records. There is a clear legal, necessary requirement for them to exist and permission is required in order to set up a limited liability company.

If ICANN tried to kick EU domains off then the EU would just fork DNS. The EU is much larger than the US (511 million to 325 million people) and any such move would hurt the US far more anyway, because the US would be the one with an incomplete set of DNS records.

In practical terms the US would be forced to recognize domains registered in the EU, because otherwise people in the US could register the same domains and use them to spread malware. Of course a lot of services people rely on would break for US users too.

ICANN will capitulate.

Re:and GDPR is?

As far as I know, even in the EU, people are not allowed to do business as a fictitious entity without registering their identity in a way that someone defrauded can look them up.

GPDR protects the privacy of natural persons, not of legal persons.

Re:and GDPR is?

LOL, all that will happen is companies in europe will create their own root, and the US will finally completely lose control of the internet.

Re:and GDPR is?

The summary published actually doesn't contain anything I submitted, nor did I submit anything that it contains

You must be new here.

Re:and GDPR is?

[Cederic]

No explanation of who or what ICANN are either, but I notice you didn't bother to complain about that.

If you're working in IT and haven't encountered GDPR then you should investigate it fully - it has impacts globally.

Re:and GDPR is?

Except that, like COPPA, it's just a sane law. I know, those are rare... but from what I can tell, all it does is tell companies they can't be pervy/careless with how they handle private info anymore. Any company that has sane, moral policies, won't have to do anything extra to comply.

captcha: denature

Re:and GDPR is?

[HiThere]

OK. Lots of people are saying, in one way or another, that I should have used harsher terms in criticizing ICANN. I don't like doing that, but I'll admit in this case it seems justified.

What I'm not sure of is to what extent the implementing regulations were detailed by the law that got passed. If, as some have indicated (and I still doubt) the detailed measures were a part of the bill, then I was extremely much too lenient in my criticisms. I've been assuming that the implementing rules were created based on the law rather than being specified in detail in the law. I still think that most likely. I also thought that the law was recently passed, rather than passed two years ago. Another "Whoops!".

But still, my basic feeling is that the reason the regulators are being so inflexible, is that ICANN has shown no intention of obeying the regulations. The mistakes I made only reinforce that ICANN has shown no intention of obeying the regulations.

Re:and GDPR is?

[HiThere]

I don't know about in Europe, but in the US there are "John Doe" subpoenas, where you don't know the name of the entity being subpoenaed, but you have other identifying information. Admittedly, those have been misused at times, but they also often serve a valid purpose.

So I suppose that a court could issue such a subpoena to "the entity using this IP address at this time". (Whether that information would be available is another question, of course.)

Re:and GDPR is?

[q4Fry]

As someone with a personal domain, I appreciate the opportunity to avoid broadcasting my personal details on WHOIS.

As someone who has encountered a troll site for local politics, I appreciate looking up the registrant to discover that it is owned by a foreign individual.

Re: and GDPR is?

[Brockmire]

Wtf? Why are you paying more for privacy than your domain? Wtf are you up to? Whois privacy is free from low cost registrar's like namesilo. It sounds like you pay more for each than I pay for both.

Re: and GDPR is?

[Brockmire]

I'd pledge $50 to a gofundme campaign to sue Slashdot editors. They are really, really bad.

And phone books?

Or are those not a thing in Europe? (Granted, they're not really a thing anymore where I am.)

Re:And phone books?

[Alain+Williams]

Another good example is the UK registry of limited companies. Here are the names of the directors of Tesco (a large supermarket) for all to see. How does that differ from whois ?

Re:And phone books?

[arth1]

You already have a right to not be listed in the phone book.
What probably will change is that phone companies no longer can charge extra for this, and other 3rd party phone book providers (most of which are scammers) will have a much harder time operating.

Re:And phone books?

[moronoxyd]

You already have a right to not be listed in the phone book.
What probably will change is that phone companies no longer can charge extra for this

Here in Germany, the option of not being listed in the phone book is free. And (and least for some phone companies) the default.

Re:And phone books?

[Pentium100]

I haven't seen a phone book in a while (though they are still printed, probably). However, for a long time people were able to ask that their numbers be excluded from the phone book.

Re:And phone books?

[Antique+Geekmeister]

"Limited companies" are businesses, owned by those individuals. An individual can register a personal domain for their own personal communications or communications. In US Constitutional terms, it becomes a free speech issue. Can one speak as an individual on the Internet hosting a website or email service or even an FTP document server, without giving up the personal information of the domain owner?

Re:And phone books?

[Alain+Williams]

In the UK a domain that is non commercial can opt to keep the name of the registrant private. I like that distinction of what should be publicly known and what can reasonably be kept private.

Re:And phone books?

[slew]

GDPR is a euro thing. The US constitution (and US free speech laws) are not really relevant. The EU and the UK have different standards for free speech and privacy than the US.

Re:And phone books?

[Cederic]

He was using an analogy to help people with limited education.

registrars' license to print money has expired.

i wonder if icann was getting kickbacks from godaddy and the like from 'private' registration fees.. and that was the reason for them dragging their feet here.. eu's new requirements all but kills that 'little' side business and profit center.

Re:registrars' license to print money has expired.

More likely kickbacks from the IP related troll companies so they can more easily sue people.

Do as Sweden do

[therealspacebug]

Swedens domain .se does not show who owns a domain. If more info is needed you have to ask the register.

Re:Do as Sweden do

but but but, how can the MAFIAA protect their precious without being able to directly blackmail all domainowners??

Re: Do as Sweden do

But then you can look up the tax reports of everyone (Swedes), without having to give a reason.

And if the domain exists for public access an imprint is required anyway.

So the only thing this does is hide the contact information of parked domains, or such used for purely private purposes.

Re:Do as Sweden do

ICANN wrote a letter begging for an exemption and more time, in which they put forward the fractured system argument among others. One of their own members wrote to the commission and bluntly shot down all of their arguments. For that one they pointed out the system was already fractured. Some registrars allow you to pay for a private listing, some do not allow them, and as you point out some regions such as Sweden have already shown no information for years. And the level of validation of the details varies.

ICANN had years to prepare

The summary does not mention that ICANN has had years to prepare and has done nothing. This is an ICANN screwup, plain and simple.

Re: ICANN had years to prepare

Bullshit. The law is overbroad and idiotic, ICANN needs to tell them to fuck off.
If Europeans don't want their info displayed they can update their registration or set it up under a company name. Or just get off the Internet.

Re:ICANN had years to prepare

[Joce640k]

The summary does not mention that ICANN has had years to prepare and has done nothing.

Ummm... "private" listings have been a thing for many years.

Re: ICANN had years to prepare

This has been the LAW for 2 years. The only change is that it will be enforced after may 25. Everyone who choices to ignore this will do it on itâ(TM)s own risk.

Re:ICANN had years to prepare

[F.Ultra]

And is it ICANN that provide these private listings today or is it the registrars who then are not following ICANNs rules?

Re: ICANN had years to prepare

[Z00L00K]

The law is good, it's painful for ad networks though since with it you have the right to ask every ad network about what they know about you.

I feel sorry for ICANN

[WaffleMonster]

How dare the EU disrupt this global extortion racket. Evil bastards.

The Internet needs WHOIS records today

[FeelGood314]

We may not need all the fields in the WHOIS record but there are many that are currently needed for the internet to function. I find it bizarre that the EU's data protection advisory group doesn't understand this and wouldn't create some sort of temporary provision to allow ICANN time to adjust. Their response seemed very arrogant.

Re:The Internet needs WHOIS records today

[Zocalo]

They've had two years since the GDPR was signed to law to prepare, and arguably *ten* years since the working group tasked with creating the GDPR first started outlining what they were going to propose to assess the likely impacts. ICANN have had plenty of time to "adjust" - and that other WHOIS providers around the world have adjusted is evidence of that - but chose to stick their head in the sand and claim it had nothing to do with them then, when it became obvious that was incorrect, to rely on something even their own legal counsel and contracted registrars told them was not going to fly. GDPR might be a vague legal quagmire for those that have to comply with it, but this, and the contractual mess it creates for their contracted registrars, is entirely down to ICANN's mismangement of the situation.

Re:The Internet needs WHOIS records today

[Joce640k]

I suspect the Internet will continue to function perfectly without my fake name, fake address and fake telephone number.

Re:The Internet needs WHOIS records today

[Aighearach]

Nothing in WHOIS is needed by networks. Everything the networks need is in the DNS database.

Re: The Internet needs WHOIS records today

Nobosy wants to hear your fake news!

Re:The Internet needs WHOIS records today

[Pentium100]

Really? Which whois records are needed for the internet to function? I mean whois privacy is a thing for a long time now, it just costs extra. With the new law people won't have to pay extra.

GDPR allows for the storage of personal data - as long as there is a valid reason to do so. For example, you run a repair shop and a client has brought his appliance for you to fix. You need the serial number of the appliance for warranty (not personal data) and you need the name and phone number of the client so you can contact him when the repairs are done. This is a valid reason and you are allowed to store the data as long as you need it. That is, once you give the appliance back to the client, you no longer need their name or telephone number, so you have to delete them from your database.

Re:The Internet needs WHOIS records today

I find it bizarre that the EU's data protection advisory group doesn't understand this and wouldn't create some sort of temporary provision to allow ICANN time to adjust. Their response seemed very arrogant.

Most of what you read about GDPR is FUD spread by all the organizations that rely on selling peoples private information.

GDPR isn't as extreme as many wants you to think.

Re: The Internet needs WHOIS records today

[teg]

GDPR isn't overriding all other laws. In the example you give, there are also laws for for keeping records. You would have to remove her from the customer database of requested, but the records on who did what for whom will love on in accounting.

Re: The Internet needs WHOIS records today

The arrogance is in Europe tempting to enforce their concept of how this should work on an international structure and other countries.

Time for some country with no particular links to Europe and no extradition to it to host, maintain, and publish WHOIS, and tell Europe to go to hell.

Re: The Internet needs WHOIS records today

[Pentium100]

The example was for warranty service. Under warranty, the money changes hands between the service center and the manufacturer, the customer is not involved in that transaction, only their appliance is. You only need the customer's telephone number so you can contact them when the repairs are one. You only need the customer's address if you plan on delivering the repaired appliance to them. You no longer need the information after the customer takes his appliance from you.

But yes, if you do out-of-warranty service for the customer then accounting will have the invoice and the payment.

Another example would be web sites that have "full name", "address" as a required fields for registration. If I can type fake info and still have the proper service, then those fields are not really necessary, are they? For example, a company that is not going to deliver any physical object to me does not need my address. A company that is going to deliver a physical object to me, may not need my address anymore after the object is delivered (though I may give consent to store my address so I do not have to type it every time I order something). Ebay sellers, for example, do not need to keep my address after sending out the item - if I order something again, ebay will give them my address again.

As I understand it, those requirements are so that 1) the customer data is not misused and 2) in case your customer database gets leaked, the damage will be less if only the information you need to have is there (and not the name an address of every person your company has ever dealt with)..

Re:The Internet needs WHOIS records today

[brunes69]

The group in charge of GDPR doesn't have the slightest idea how modern technology, software, cybersecurity, or the Internet in general works to begin with. If they did, then the GDPR would have been more sane.

Re:The Internet needs WHOIS records today

The people who NEED whois data are all those spammers trying to sell website services. Pretty sure the Internet can do without those. I'd certainly appreciate not getting their spam all the time.

Re:The Internet needs WHOIS records today

I think ICANN should adjust by dropping all EU registrars. They can go play in their country code domains or .eu domains all they want but not in .com.

Re: The Internet needs WHOIS records today

[Z00L00K]

The GDPR is put into place because way too many companies are abusing the privacy of people.

It still has provisions to allow data to be used if it is properly anonymized. But the goal is to make it harder to have privacy-invading calls to individuals and abuse personal data.

Re:The Internet needs WHOIS records today

[Jerry+Atrick]

ICANN have already had a 2 year "temporary provision" AKA 2 years to bother reading the GPDR law.
They had 10 years advance notice it was coming and endless opportunity to educate themselves or lobby for change.

They pissed away all opportunities given them, it ends now. No amount of threats or begging from the commercial parasites feeding on ICANNs unnecessarily open WHOIS can help them, they chose to be part of the problem and it's going to bite them.

Sounds like they thought they could throw

[rsilvergun]

their weight around and they couldn't.

Please, I'm Special!

[Artagel]

Well, this is one in a long line of people applying for exemptions to laws because they are special. The usual answer is, no, you are not special. It isn't for the administrative apparatus to get rid of the law it administers, it is for the political body responsible for the measure to pass a corrective measure.

Presumably one would have to contact domain name holders through their registrars without knowing who the registrant is. The system is not transparent, but it is private.

Re:Please, I'm Special!

Well, this is one in a long line of people applying for exemptions to laws because they are special. The usual answer is, no, you are not special. It isn't for the administrative apparatus to get rid of the law it administers, it is for the political body responsible for the measure to pass a corrective measure.

Presumably one would have to contact domain name holders through their registrars without knowing who the registrant is. The system is not transparent, but it is private.

Exactly. Just b/c there isn't one at present does not mean that there should not be one - there should be one. GDPR is extreme overreach by Europe.

WHOIS is a joke...

[b0s0z0ku]

I don't see major privacy implications. You can easily put a throwaway email address and a fake mailing address in your contact info, especially if you pay for the domain with a prepaid debit card. No one really cares.

WHOIS is mainly good for the domain owner because:
(1) Someone can contact them if they get hacked and the domain is being used for unsavory purposes like spam or phishing.
(2) People offering to buy the domain can contact them. If you don't want the offer, don't reply.

What's the big deal?

Re:WHOIS is a joke...

until someone files a TDRP request and you don't know about it because you didn't monitor that throwaway email. now you don't have a domain. I guess this means TDRPs are a relic of the past now and domain squatters win (until expensive and costly lawsuits take foot)

Re:WHOIS is a joke...

[Joce640k]

I don't see major privacy implications. You can easily put a throwaway email address and a fake mailing address in your contact info, especially if you pay for the domain with a prepaid debit card. No one really cares.

Technically, it's illegal to do so.

Re:WHOIS is a joke...

What is a prepaid debit card?

Re:WHOIS is a joke...

[WaffleMonster]

I don't see major privacy implications. You can easily put a throwaway email address and a fake mailing address in your contact info, especially if you pay for the domain with a prepaid debit card. No one really cares.

If you do this you can lose your domain. Some people don't want their information in whois records for multiple reasons including to protect themselves from physical violence.

Paying extra to keep your information out of whois is the same as paying extra to keep your name out of the white pages. This is extortion. It also actively encourages people to use bogus information to avoid having their information out there.

If everyone had a choice with no monetary repercussions whether or not to make their information private when managing their domains then at least registrars would have more useful information with which to contact domain owners when necessary vs. widespread practice of filling databases with nonsense.

Re:WHOIS is a joke...

[Pentium100]

A lot of people use whois privacy service, even though most registrars charge extra for it.

So, the registrars can just make whois provacy the default and no extra charge. They would probably be compliant with the law.

Public Internet

[CrashNBrn]

WhoIS is public information - who owns a domain. What's next hide who owns a business because Europeans are special snowflakes?

Why not just void all their domain registrations. Problem solved.

Re:Public Internet

[thinkwaitfast]

I don't understand what is wrong with whois. I used to use it all of the time like 30 years ago when I was heavily into internet stuff.

Re:Public Internet

[Joce640k]

Maybe it's an individual person who'd prefer not to have their full name, home address and telephone number published for the world to see.

Re:Public Internet

There's nothing wrong with whois,
the data that is in there, is there with a good reason,
so the GDPR pushing pussies and special snowflakes can go sod off.
The only reason to hide the info is to add more obfuscation to the whole and make it seem like more jobs were created, because now you'll have to do the whole bureaucratic dance just to inform someone about problems with their domain, and everyone knows, more bureaucrazy equals more money... BAH.

Re:Public Internet

And they haven't figured out Private Registration?

Re:Public Internet

[TechyImmigrant]

And they haven't figured out Private Registration?

And found how much extra that costs

Re:Public Internet

[Joce640k]

There's nothing wrong with whois,
the data that is in there, is there with a good reason,

No it isn't.

It might have been back when the only people who ran web sites were big corporations but that was 30 years ago.

Re:Public Internet

[Joce640k]

And they haven't figured out Private Registration?

Maybe they just don't enjoy being extorted to pay extra for what should be the default setting.

This law redresses that, it's a good thing.

Re:Public Internet

[MrMr]

No, they made private registration free and obligatory.That messes with the business model of ICANN.

Re: Public Internet

Why should I have to pay for that privilege? It's a fucking scam racket is what it is.

Re:Public Internet

Maybe the EU thinks that's something that shouldn't require an extra charge.

Re:Public Internet

[mrbester]

I've had private registration, by default, all the time with GANDI.net for all my domains. Yes, they're a European registrar. No, it cost me nothing. If I wanted the details public, I'd have to go into the admin and specifically turn off the privacy setting.

Re:Public Internet

Then maybe owning a domain name accessible to the world isn't the right thing for them?

Re:Public Internet

[rl117]

Right now, my *home* address, phone number and email are listed in the WHOIS database, put there by my ISP. And other stuff I own requires a RIPE handle with again my address, phone number and email listed. It's not corporate, it's personal/open source project-related. While I could pay some extra money to have (some of) this stuff obfuscated, the fact that it's in the open by default is a problem. 30 years ago the internet was a different place. Today, that information is going to be hoovered up by spammers, used for legal retribution if something thinks I downloaded something I shouldn't have, and used by assholes for SWATing. And so on. As far as I'm concerned, GDPR is going to be a massive improvement, and if WHOIS is forced to update their outdated and ridiculous practices as a result, then that's a massive bonus.

Re:Public Internet

Not being able to see what their price would be for a .com due to an error is not terribly reassuring. That should be a static page.

Re:Public Internet

I know a bunch of seniors that think being unlisted in the phone book is pretty weird. I guess some folks have a hard time accepting change.

Re:Public Internet

I know a bunch of seniors that think being unlisted in the phone book is pretty weird. I guess some folks have a hard time accepting change.

Yep. I remember when an "old person" asked me for my social security number (unnecessarily for some random business transaction), and I said I didn't want to give it. They thought I was very suspicious!!! LOL

Times change. Nobody cares about privacy until something like Cambridge Analytica comes along and everyone realizes it matters.

Fucking Europe at least recognizes that privacy is important to democracy and is a human right. I shouldn't have to publish my home address, name, and phone number on the public internet just to have a personal domain for email.

LOL

[matushorvath]

We have been working on getting our software GDPR compliant for past 6 months, with a huge effort in both analysis and development. And these guys think they will just shrug it of by waiting until the deadline and then writing a letter to the point of "we can just ignore this, right?" I literally LOLed.

That said, GDPR is complete nonsense, nobody will be fully compliant, and EU will not be able to punish everyone who is not compliant and will either have to ignore its own rules or amend them very soon.

Re:LOL

[AmiMoJo]

That said, GDPR is complete nonsense, nobody will be fully compliant, and EU will not be able to punish everyone who is not compliant and will either have to ignore its own rules or amend them very soon.

The classic "respecting your privacy is too hard" argument. Sure, it will take some time for everyone to come into compliance, but that's only because things got so bad already.

Re:LOL

[serviscope_minor]

The classic "respecting your privacy is too hard" argument. Sure, it will take some time for everyone to come into compliance, but that's only because things got so bad already.

Exactly. I mean it's a huge pain in the arse in that you can't be lax with user data, just as it's a huge pain in the rse to pay taxes, file proper accounts and not pullute the local waterways.

Re:LOL

Wait and see...

Re:LOL

[AmiMoJo]

To be fair, taxes would be a lot easier if they just replaced them with an honesty jar. I mean, you don't get to be CFO of a major multi-national corporation without demonstrating impeccable honesty, right?

Re:LOL

[matushorvath]

I'm all for privacy, but GDPR will impossible to follow in practice. One of the big issues is the right to be forgotten. We are a company with 50000 employees worldwide, with tons of information systems that are not completely integrated. If you call and tell me you want the whole company to forget that you exist, I am somehow supposed to access an excel file on a shared folder in Thailand that somebody created 10 years ago and delete your address from it even though your name was misspelled or you changed it in the meantime. That's not realistic and will not happen, even with best effort. This is one of those regulations where everyone will be violating it and the government will just choose who to punish and who not.

Re:LOL

The Laffer Curve is a scientific fact.
--
roman_mir

Re:LOL

That said, GDPR is complete nonsense, nobody will be fully compliant, and EU will not be able to punish everyone who is not compliant and will either have to ignore its own rules or amend them very soon.

We will be compliant.

Unless you are doing something sketchy that you shouldn't have done in the first place GDPR isn't really problematic.
Most companies only need to do two things:
1) Be willing to send customers what data you have on them if they ask.
2) Remove the said data when they stop being your customer.

Re:LOL

I am somehow supposed to access an excel file on a shared folder in Thailand that somebody created 10 years ago and delete your address from it even though your name was misspelled or you changed it in the meantime.

If it isn't traceable back to me it isn't really personal data.
However, in you example yes. Your organization shouldn't have put my personal information in a file in Thailand to begin with and your example really makes it sound like your company is very sloppy with customer data.
Your competitors probably already have it.

The "right to be forgotten" also doesn't apply to data you need to serve the customers.
You don't need to remove my data until I stop being your customer.

Re:LOL

[Pentium100]

Does the excel file also have the credit card numbers of your customers?

Under the new law you will only be able to handle my personal data for explicitly defined purposes, so, there will probably be a list of employees who can access my data and that list won't include "everyone in the company".

Re:LOL

[F.Ultra]

And that is also not required by the GDPR, you have to make a reasonable effort in order to remove the details, not a herculean effort. This is e.g why backups are not covered by the GDPR.

Re:LOL

[brunes69]

Anyone who posts a comment like yours either

(a) Knows nothing about how software and computers work in general

(b) Knows nothing about GDPR

(c) Has enough of an intersection of (a) and (b) that they are still very misinformed.

GDPR is a total farce and complete nonsense. If you don't realize that, then you don't know enough about it.

Re:LOL

[pjt33]

In your scenario it sounds like 10 years ago the company was already in violation of the Data Protection Directive. The big changes are how serious the fines can be, not how you can store and use data.

Re:LOL

[AmiMoJo]

Explain it to me then. Give me an example of an unsolvable problem.

Re:LOL

[AmiMoJo]

With 50k employees you must have someone who understands the GDPR who can explain why this isn't a real issue. In fact you should have been told by now anyway if it is at all relevant to your job.

Re:LOL

I'm a software lead at a firm dealing with a lot of blue-chip companies. Every last one of them is asking detailed questions about our GDPR compliance, and demanding full compliance for anything we sell them. Customers and management are both taking it very seriously.

Which is awesome: I now have an iron-clad reason to make sure that any requests (internal or external) for privacy-invasive shenanigans are carefully considered and flagged up to end users, which pretty much means we won't implement them. The best practice that I've been evangelising for my entire career is now mandatory, and we've been given extra time and resources to make sure we do it right.

The only people up in arms about GDPR are people whose business model relies on violating their customer's privacy, a few fear-mongering consultants "screaming the sky is falling... unless you hire me", and the poor shmucks who believe them. The reality is that it's not hard to comply unless you want to do shady stuff.

Re:LOL

[thegarbz]

That's not realistic and will not happen

Prosecution for the example you posted is not realistic and will not happen either. The amazing thing about this example is that if you can't reasonably find the data it's unlikely that someone else will either.

The law is pretty black and white and doesn't give participation awards for trying. But the reality is the application of the law will be directly tried to that effort.

Re:LOL

To comply with the GDPR you need to take better care of your customer's data. Are you arguing that because your company has been doing a terrible job up to now they should get a pass in the future? Has your company been somehow unable to make best efforts to comply, or got caught unawares by something that everyone else has known is coming for two years? Or did they just make the call that the cost of compliance was greater than the possibility of the fine for non-compliance?

Assuming that you have made and documented your best efforts to comply and are still worried about having missed something, it's very unlikely that you'll get hauled over the coals on the offchance that something comes up. If the procedures you put in place as part of your GDPR compliance project make it clear to the Taiwan office that if they find such a file they should securely dispose of it and instead use the centralised secure data storage that you will have created in order to comply, then when they come across it they will know what to do and you will be fine.

At the end of the day GDPR is just "implement best practice, or else". It's only a problem if you have been ignoring best practice up to now. Now that might not have been your call, but choosing to work for a company that doesn't care about it's customers data is, so I don't have a lot of sympathy for you either way.

Re:LOL

Really? Because for the first time I have ever seen, companies like Facebook, Google, Twitter, and others are actually having to adjust their privacy policies to protect consumers and their information. I am receiving many emails from services I use informing me how they are changing their practices to finally respect and protect and minimize the collection of my data.

All because of GDPR. Europe has done a great service for the benefit of the **global** internet! Becuase in practice, for many companies it is easier and more cost effective to just adjust their global data collection and privacy practices than create a two-tiered system. Facebook is the big example of the opposite of course... they moved all non-EU customers out of the Ireland data center (that they created to evade taxes) so they didn't have to stop profiting from their data.

Re:LOL

FTL Propulsion. I look forward to reading your solution.

Re:LOL

And this is the thing. Why would someone put personal data in a spreadsheet and save it in a shared folder in Thailand and everyone forget about it for 10 years?

One thing with the GDPR is to *THINK* about what information you save and where so that it isn't lying around everywhere. Do you really need to save that personal data in that shared spredsheet? Why do you need to save it? When is it of no use anymore? Why haven't you deleted it already?

Stupid people saving old personal data "just because" is one of the reasons the GDPR is needed.

Re:LOL

GDPR is a total farce and complete nonsense. If you don't realize that, then you don't know enough about it.

As someone who have been working for my workplace on how we were affected by the GDPR and realized that the system I designed a long time before it became a reality already had a number of safeguards in place that now is required by the GDPR I call your claim bullshit. Privacy is important, but the way business and government handles private data is laughable. Finally we are doing something about it.

It seems YOU do not know enough about it.

The only thing that I feel is bad with the GDPR is that the marketing lobby managed to lax some restrictions on it.

Re:LOL

I wouldn't bet on the EU not be willing and able to punish anyone. Last time Europeans got seriously they killed millions of people in gas chambers. We should not make any judgment, of course, it's part of their rich cultural heritage, but let's not fool ourselves into thinking they can not or will not do anything.

Re:LOL

[Cederic]

So basically you're telling me your company doesn't control, track or understand the data it holds.

That also means you can't properly protect the data subjects. Sounds like a big fine would be entirely fucking appropriate.

Re:LOL

[matushorvath]

It doesn't have to be customer data, since GDPR applies to employees as well, or any other physical person. So that shared excel file where you tracked who chipped in for coffee in your break room is now GDPR relevant. There is simply no way this can be realistically done to 100% accuracy. Companies will do the best they can, but everyone will be not compliant to some extent.

Re:LOL

We have been working on getting our software GDPR compliant for past 6 months, with a huge effort in both analysis and development.

Same here.

And these guys think they will just shrug it of by waiting until the deadline and then writing a letter to the point of "we can just ignore this, right?" I literally LOLed.

Agreed, it's silly.

That said, GDPR is complete nonsense, nobody will be fully compliant, and EU will not be able to punish everyone who is not compliant and will either have to ignore its own rules or amend them very soon.

You lost it there.

GDPR is complete nonsense

No, it isn't. You need to use less hyperbole.

kill away!

It needs to go and has needed to go for over 10 years

Why should we have to pay for "Privacy Guard" as a work around.

I say kill whois and disband ICANN. Surely we can do better than that! Do they actually do anything other than collect money from people registering domains? They have had ages of time and resources to fix things and have done nothing

Re:kill away!

Yes let's just cancel the internet while we're at it.

Idiot.

Re:kill away!

[mrbester]

If you were idiotic enough to go for a registrar that charged you extra for private registration out of the myriad available, that's on you. Yeah, you got stiffed.

Re:kill away!

That's the spirit. Down with the internet. Long live EuroNet!

That is what WHOIS does, doofus

More ccTLD operators do that, and it's stupid, short-sighted, incompatible, and doesn't actually work.

WHOIS exists exactly to query the registrar for, well, more information than you need really. And serve it up to anybody who asks. If you replace that with a webpage, that's the same thing but a different transport. Of course they do that so they can put a CAPTCHA in front to discourage (but by no means deter) spammers and other dataslurpers. All they do is shuffle the problem about a bit, breaking compatability, disappoint established expectations, but not actually solving anything.

The problem is that WHOIS contains far too much data; privacy directives typically demand there be some link between the data kept (and served) and a clear need to do so. Eg. "billing information" is very necessary for the registrar but does not need to sit in WHOIS, because it's nobody else's business who exactly pays the bills for the domain. What does matter is who owns it --who is responsible for content served-- and who to contact in case of technical trouble. The former needs a name and a place attached, the latter can equally well be a functional (telephone and email) address, as long as it works. So what's really needed is a clue or two about what WHOIS serves and why it does so. Make clear choices, have arguments ready to convincingly defend them. And remove all the data you can't defend.

Anyway, ICANN't are not actually competent to solve anything so it' s no surprise they can't solve this. They couldn't even come up with a clear problem description. They've had years and all they've managed is run around like headless chickens. Much like the "new gTLD" shitshow that got them so rightly derided.

Re:That is what WHOIS does, doofus

[Joce640k]

What does matter is who owns it --who is responsible for content served-- and who to contact in case of technical trouble.

Why? Why is there a need any of that to be public information?

If the content is illegal, tell the police. If the website is down then it's their problem, not yours.

Re: That is what WHOIS does, doofus

You're obviously not a sysadmin. The police understandably don't care about interoperability issues,and nor is it always apparent to both parties that they even exist. Being able to work through these issues with the other end is what keeps the internet from falling apart.

Re:That is what WHOIS does, doofus

What does matter is who owns it --who is responsible for content served-- and who to contact in case of technical trouble.

Why? Why is there a need any of that to be public information?

Good question. Why would any information be public at all? Who cares who owns google.com, it's practically government anyway. Everybody knows that making anything public is a breach of national security for the government, so best not do that. Keep everything secret, just to be safe.

Oh, the idiots that put through FOIA thought otherwise, but we'll deal with them in due time, just you watch!

Why are companies public, anyway? Pretty sure terrorists can read, so they can read the company register too. Why do we have phone books... well, had, they're electronic now. Someone bad might want to call you. Why give them the leverage?

So many questions! Where are the answers?!?

If the content is illegal, tell the police.

How does that work in the US, with subpoenas and serving them, again?

If the website is down then it's their problem, not yours.

The internet is much more than "a website", and it does happen now and again that someone's systems are doing stupid things that end up harmful for other systems. Originally the thing was set up as a cooperative, and by and large still is.

Though large companies would love you to believe otherwise, you little consumer, you. Especially telcos would love to turn the thing into some sort of interactive television, with matching tiered pricing. Even facebook tried it, they call it "internet.org". WHOIS makes no sense at all if you think the internet world consists of two kinds of parties, "producers" and "consumers" (aka "eyeballs"). Meaning that even net neutrality makes a showing in this issue.

But WHOIS makes perfect sense if the world of the internet is to cooperative, you scratch my back I scratch yours: You, possibly an administrator of some system or other, notice a problem, say on your own network but coming from elsewhere, and so you get on the phone with the guy responsible for running the system where the problem is coming from. Then you work out how to fix the mess. In that sense, WHOIS is the phone book for those running the internet, which by its original design was "everyone in on it".

Why do I have to explain this to you, mister "all the internet is a website"? And again, why do we publish the names of those who own companies, even to people who don't own companies? Riddle me that, please.

Re:That is what WHOIS does, doofus

[dgatwood]

If the content is illegal, tell the police. If the website is down then it's their problem, not yours.

It's not just about illegal content. It's also about misleading content. It is about knowing where to send the subpoena if you need to sue. It is about preventing foreign meddling in American elections. And so on.

The Internet was not designed around domain owner anonymity, and forcing anonymity upon it breaks things in fairly fundamental ways.

Re: That is what WHOIS does, doofus

The overwhelming majority of domains on the Internet are not in any situation where interoperability matters.

Re:That is what WHOIS does, doofus

[Khyber]

"If the content is illegal, tell the police."

Are you too fucking stupid to know the difference between criminal and civil liabilities?

"Why is there a need any of that to be public information?"

I refer you to my first question asked in this post.

Re: That is what WHOIS does, doofus

Now, yes. This didn't used to be the case. Used to be you had one domain for your organisation and anything else went into subdomains. Now, of course, it's all "web address with extension" and even most webhosters are consummate idiots unfit for polite company, n'mind relying on for service.

Anyhow, breaking WHOIS to protect your "overwhelming majority" of people who have no business owning domain names in the first place, thereby depriving those who need it of a useful tool when it counts, I think of as a poor trade-off.

Re:That is what WHOIS does, doofus

But all of that could be done with a court order to the registrar - let a judge decide if you have a civil case that warrants unmasking the owner or not.

That's what we do with IP addresses if we want an ISP to unmask who was assigned a particular IP at a certain time. Why do anything different for domains?

It's not as if ICANN doesn't have millions of dollars sat around doing nothing as a non-profit that decided to put TLDs up for sale for $300k a piece. The least they can do is spend some of it on doing some actual administration.

The .uk registrar nominet allows you to hide your details if you're a private citizen (company information isn't protected by GDPR anyway) and guess what? .co.uk still works fine, nothing is broken. Why would .org, .com, .net, et. al. need to be any different whatsoever? There's a trivial fix ICANN can put in place that's always tried and test by many national TLDs, there's literally no meaningful reason not to just implement it.

Re:That is what WHOIS does, doofus

[Pentium100]

Whois privacy is a thing. Most registrars just charge extra for it. I see no problem with making that free and the default option.

What things break in fundamental ways if whois privacy is enabled for everyone for free by default?

Re:That is what WHOIS does, doofus

[thegarbz]

The Internet was not designed around domain owner anonymity

The internet was not designed around identifying content owners. It was only ever designed around identifying individual computers. WHOIS is a useless bolt-on, completely irrelevant in that it hasn't contained useful information since the turn of the century and the rules about publishing identifying information have been either completely ignored at worst or gone unverified at best.

If you get something useful out of a WHOIS query, you should probably play the phone number in the lottery tonight.

Re:That is what WHOIS does, doofus

[thegarbz]

No requirement for civil proceedings requires personal information to be posted publicly. The registra has this personal information and can be compelled by a court to provide it. Nothing more should be needed.

Re:That is what WHOIS does, doofus

Cram in that misleading anti-Trotsky content like a banana. Hurts prog-snowflakes I hope like you fucked a kangaroo! It's about fucking SJW slut-kins in the azzwhole and watching them vomit ... while the misleading content just pours and pours. Spew progressive slut-kins spew ...

Re:That is what WHOIS does, doofus

Wait until Matlock here figures out that there are unlisted phone numbers that might call him! What if someone unlisted calls and says "nananana" and he needs to sue them immediately?

Re:That is what WHOIS does, doofus

[mysidia]

Whois privacy is a thing. Most registrars just charge extra for it. I see no problem with making that free and the default option.

When you use the "whois privacy" option: the legal owner of the domain according to the registry will be a proxy service. That means technically you no longer own the domain, except according to the proxy service you've hired --- if they go bankrupt or something, there's a chance "your" domain gets sold to satisfy their debts.

Re:That is what WHOIS does, doofus

[Antique+Geekmeister]

It's also about domain squatting, for which a working contact address is very useful.

Re:That is what WHOIS does, doofus

As a costumer you can choose to have your shit listed, so the domain squatters are free to list their email address so they can be contacted.

Re:That is what WHOIS does, doofus

[Khyber]

"No requirement for civil proceedings requires personal information to be posted publicly."

Oh boy I can tell you've never done SHIT in court, because once the proceedings are done, ALL OF THAT INFO IS MADE PUBLIC FUCKING RECORD.

Care to try again, oh ye of obviously lacking civic duty?

Re:That is what WHOIS does, doofus

[thegarbz]

"No requirement for civil proceedings requires personal information to be posted publicly."

Oh boy I can tell you've never done SHIT in court, because once the proceedings are done, ALL OF THAT INFO IS MADE PUBLIC FUCKING RECORD.

Care to try again, oh ye of obviously lacking civic duty?

Errr you clearly missed the point. So let me make them nice and carefully in chronological order so you know how you got to your very silly and irrelevant point:

1. AC questioned the need to keep these records public.
2. Joce640k implied there is none because if something illegal happens then they can go to the police.
3. You called out a difference between civial and criminal liability implying with your post that records need to be public for civil cases to proceed.
4. I stated that's not the case because these records get discovered during the court case.

Now at this point you've gone off the rails rambling about something irrelevant like court cases making these records public and then jested that I don't have a clue. I'm not sure quite what point you're trying to make here but it was completely irrelevant to the topic.

Anyway let me reel you back into the conversation slowly and reverse chronologically so you can meet us back on topic:
- Once something is in court and made public record it is no longer under the coverage of the GDPR. It becomes irrelevant to the conversation.
- To get discovered in court the information of people doesn't need to be posted publicly, just recorded privately by registras.
- The only public information needs to be the registra in charge of the domain. This is sufficient for any legal proceedings both civil and criminal.
- Ergo we're back to: WHOIS doesn't need to contain the private information that conflicts with the requirements of the GDPR.

Oh and I've been in court four times, once on each side of a civil case, and twice as an expert witness in a criminal case, and I studied this is a minor to my degree too. I don't feel like I lack very much thank you.

Re:That is what WHOIS does, doofus

[Khyber]

"4. I stated that's not the case because these records get discovered during the court case."

"I don't feel like I lack very much thank you."

you obviously lack the fact that many can't afford to PAY A COURT to compel people to hand over identifying information. Thus the GPDR by default fucks over people who need to access that information.

You haven't been in court enough, by any means, because you're missing a lot.

Try again when you've been dragged in and out of courtrooms for over 30 years from child custody to DRM cases (Kicked Electronic Arts Ass) criminal cases and more. You being an expert witness means exactly jack shit and if this was a minor to your degree you got a very lacking education.

Re:That is what WHOIS does, doofus

[thegarbz]

you obviously lack the fact that many can't afford to PAY A COURT to compel people to hand over identifying information.

Not at all. In much of the world it costs almost nothing to take someone to court, and costs even less if you win. But then you completely missed the entire premise of this post that someone is already taking someone to court over this otherwise they wouldn't need the information in the first place. That is one of the most epic logic fails I've seen posted on Slashdot.

You haven't been in court enough, by any means, because you're missing a lot.

Whatever man, just because your marriage broke up doesn't mean you know jack shit about how civil proceedings work. ... evidently.

Re: That is what WHOIS does, doofus

[Brockmire]

Are you white and super rich? You seem to think police just fucking do what you ask. Do you watch CSI shows and think cops know how to do basic technology shit? Wireshark your Internet traffic for a few hours and then wonder who the fuck you're communicating that you don't know about. Then call the police for their help.

Good

There is no reason the entire Internet needs my email address, phone number, and street address simply because I registered a domain. Contact requests can be blinded and forwarded through the registrar.

If it's a business dealing with the public, fine, let their contact info be public.

The idea that open whois information is necessary to stop spam/hacking/whatever is laughable.

because you broke privacy of people willfully

Look, most of those I see complaining about GDPR, are the one which simply did not care much for their customer privacy to begin with and the one most likely to gather data they have no reason or need for the transaction their customer were doing with them. If you are already PCI compliant, and gather only data related to order following, and address to deliver, there should be no reason for you to fear GDPR. I suspect that you were doing a little bit beyond that.

Re:The Internet was a great invention

"national socialism"

Europe isn't a country, genius.
Nice nazi argument btw. very convincing

Re: The Internet was a great invention

How's business in the lying and poisoning industry, Ivan?

this is part of GDPR I disagree with

This is like passing a law that says you can't have a phone directory. One absolutely SHOULD be able to see who owns a domain and how to get in contact with them.

Re:this is part of GDPR I disagree with

[Pentium100]

You can have a phone directory under the new law, under two conditions:
1. The person has to explicitly give consent for their number to be published (default is "no").
2. You cannot refuse the phone service if the person chooses to not get listed in the phone directory.

The problem

I don't know where ICANN is located, but this shows the problem with the lack of local companies and organizations. If ICANN was an American affair, they could tell the EU to shove their laws. They do not pertain the the United States and we will therefore, not abide by them.

Re: registrars' license to print money has expired

From a consumer standpoint, registration fees have only fallen since the introduction of registrars. Expect them to rise again. Also expect abuse to increase as it becomes more and more difficult to locate administrative and technical contacts.

No mention of number authorities, though. What are IANA and RIPE NCC doing?

ICANN - the Stalkers Saviour

Once-upon-a-time Whois was good. A bunch of geeky-techy sysadmins knew who to contact when there were problems with each other's domains. Now Whois serves as the Stalkers delight - and ICANN are the rapists defenders.

Think about that.

Anonymised listings

[VeryFluffyBunny]

Don't most people just pay for their info to be anonymised? Companies, organisations, companies, etc. should have to declare who they are and usually do on their website anyway.

Death of DNS too?

[Mozai]

Does this also spell the death of the SOA and RP records in DNS, since they also broadcast contact information?

Comment removed

[account_deleted]

Comment removed based on user account deletion

US shouldn't have handed over DNS to ICANN

[bongey]

The US government would have sovereign immunity to non-sense such as this.

Re:US shouldn't have handed over DNS to ICANN

[ebvwfbw]

That's right. I think they did that during the Obama administration. They were all too willing to hand it over. They had no appreciation for it. Someone else built it.

wait!!!

fair use is allowed under gdpr. whois is definitely fair use.

why is this the only conclusion? must not allow domain ownership information to be public? fair use as far as im concerned

registrars need to fight back for fair use scenarios like whois and the world needs better ownership

So the EU can ban whois in the EU if they like

[Kernel+Kurtz]

Why should ICANN care?

Not every entity in the world has to be complaint with EU law. Or US law. Or Chinese or Iranian law.

Re:So the EU can ban whois in the EU if they like

[Erik+Hensema]

You're entirely correct. Only companies with offices inside the EU (as ICANN has) or with customers in the EU (as ICANN has) must be compliant.

Re:So the EU can ban whois in the EU if they like

[Kernel+Kurtz]

Only companies with offices inside the EU (as ICANN has) or with customers in the EU (as ICANN has) must be compliant.

Only companies with offices inside the EU (as ICANN has) or with customers in the EU (as ICANN has) must be compliant, in the EU.

FTFY

If it was up to me I would just say "no ICAAN for you". We don't do business there.

Re:So the EU can ban whois in the EU if they like

[Erik+Hensema]

Thanks for the fix, you're right.

And since ICANN obviously does a lot of business worldwide (they manage the *generic* TLDs), they also do so in the EU. There are quite a lot of accredited registrars in Europe.

If *you* don't do business abroad, please use the cctld for your own country, such as .us.

On 25 May 2018

[Gonoff]

The "go live" date for the GDPR has been known for 2 years. ICANNs ignoring it for nearly 23 months is simply the uninformed arrogance that has made US businesses so disliked across the world. People who do business with US companies do so warily. They like to think that "other peoples" laws do not apply to them and they think that US laws do apply to foreigners.

(If you do business in country XXX, the laws of that country apply to you. The laws of the USA do not apply in XXX. If someone has signed a treaty, that applies but getting the USA to fulfil its obligations is not a given.)

If a change had been applied in the US that had given privacy to people in the US, how long do you think the rest of the world would have been given to comply? It would not have been the 2 years ICANN has had. I suspect it would have been between 50 days and a month.

Uh, yeah, ICANN had enough notice.

[slack_justyb]

ICANN now has a little over a month to come up with a replacement

After having been given almost three years of notice to do something about it. Look, it was never a point about if ICANN could or could not fix it. ICANN made it quite clear from their actions that they were not ever going to fix it. This whole thing shows that the most recent round of directors at ICANN are commercial focused buffoons that lack any real understanding of law or technology. It's a shit show right now at ICANN so this entire thing like, "Oh No! WHOIS will break!" is crap. Have idiots running an organization, watch idiotic results flow from that organization. It's that simple.

This is bad because...

[XSportSeeker]

Let me ask something here because I might not be seeing the complete picture.
Is this a bad thing? If so, why?

I have a couple of domains that I always felt extremely uncomfortable for them demanding that I list personally identifiable data to register, and that it would be exposed in listings for anyone and everyone to find out if they wanted to.
This single fact always gave me pause on publishing stuff and speaking my voice out for the potential of having trolls and whatnot finding out my private information and essencially doxing me.
I dunno how exactly things work in other countries, but I was never given the option to make this information anonymized or private - not even paying more for it.

So, I might be missing something here, but personally, good riddance.
And see that I'm not saying the info shouldn't be given... for criminal cases and whatnot, the information should still be there. Just not exposed bare in public.

Bullshit

WHOIS is part of the mandatory imprint that every site has to offer (also EU law).