Slashdot Mirror
Will GDPR Kill WHOIS? (theregister.co.uk)
Slashdot reader monkeyzoo shares the Register's report on a disturbing letter sent to ICANN:
Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force... ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number. ICANN has already acknowledged it has no chance of doing so... The company warns that without being granted a special temporary exemption from the law, the system will fracture. ["Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law," ICANN warns.]
"ICANN had made the concept of a moratorium the central pillar of its effort to become compliant with the law," writes the Register. "But its entire strategy was built on a fantasy."
Thursday the EU's data protection advisory group told the site that there's no provision in the GDPR for an "enforcement moratorium", and the Register adds that the EU's data protection advisory group "is clearly baffled by ICANN's repeated requests for something that doesn't exist."
"ICANN had made the concept of a moratorium the central pillar of its effort to become compliant with the law," writes the Register. "But its entire strategy was built on a fantasy."
Thursday the EU's data protection advisory group told the site that there's no provision in the GDPR for an "enforcement moratorium", and the Register adds that the EU's data protection advisory group "is clearly baffled by ICANN's repeated requests for something that doesn't exist."
Well, this is one in a long line of people applying for exemptions to laws because they are special. The usual answer is, no, you are not special. It isn't for the administrative apparatus to get rid of the law it administers, it is for the political body responsible for the measure to pass a corrective measure.
Presumably one would have to contact domain name holders through their registrars without knowing who the registrant is. The system is not transparent, but it is private.
I don't see major privacy implications. You can easily put a throwaway email address and a fake mailing address in your contact info, especially if you pay for the domain with a prepaid debit card. No one really cares.
WHOIS is mainly good for the domain owner because:
(1) Someone can contact them if they get hacked and the domain is being used for unsavory purposes like spam or phishing.
(2) People offering to buy the domain can contact them. If you don't want the offer, don't reply.
What's the big deal?
They've had two years since the GDPR was signed to law to prepare, and arguably *ten* years since the working group tasked with creating the GDPR first started outlining what they were going to propose to assess the likely impacts. ICANN have had plenty of time to "adjust" - and that other WHOIS providers around the world have adjusted is evidence of that - but chose to stick their head in the sand and claim it had nothing to do with them then, when it became obvious that was incorrect, to rely on something even their own legal counsel and contracted registrars told them was not going to fly. GDPR might be a vague legal quagmire for those that have to comply with it, but this, and the contractual mess it creates for their contracted registrars, is entirely down to ICANN's mismangement of the situation.
UNIX? They're not even circumcised! Savages!
Let's hope so.
At the moment the whois database is:
a) A free mailing list for spammers
b) An excuse for ISPs to charge extra for "private listings".
If this law can change the situation then it gets my vote.
No sig today...
No explanation of what the law is, or what provision that ICANN is in violation of... WTF kind of summary is this?
If you don't know how to use google then you probably shouldn't be reading this story.
https://www.cennydd.com/writin...
No sig today...
I suspect the Internet will continue to function perfectly without my fake name, fake address and fake telephone number.
No sig today...
That said, GDPR is complete nonsense, nobody will be fully compliant, and EU will not be able to punish everyone who is not compliant and will either have to ignore its own rules or amend them very soon.
The classic "respecting your privacy is too hard" argument. Sure, it will take some time for everyone to come into compliance, but that's only because things got so bad already.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
You can also google these news stories without ever having to visit Slashdot. The reason for coming here is for curated information which fosters discussion. The summary provides the minimum information to understand the nature of the discussion and links to resources containing the fuller details. I would have to agree that this summary has failed to do that. The fact it's possible to work around the summary's deficiencies with a little extra labor does not make those deficiencies non-existent.
What makes more sense -- a million readers having to look up what GDPR is, or one person defining it?
When things get complex, multiply by the complex conjugate.
There's a quick solution to all of this. ICANN and IANA jointly run the root servers. Announce that any TLD registrar that doesn't provide WHOIS service will no longer be listed, and see how many days it takes the EU to fix their law.
If there is a conflict between the GDPR and WHOIS, then contrary to popular belief here on Slashdot, this is a flaw in the GDPR. As far as I know, even in the EU, people are not allowed to do business as a fictitious entity without registering their identity in a way that someone defrauded can look them up. The WHOIS database is the Internet equivalent of that. It serves an important role in the governance of the Internet, particularly with regards to copyright enforcement, but also with regards to libel laws, etc.
What the EU has done, with GDPR, is try to override the laws of many, many other countries whose laws require WHOIS to exist in one form or another, and to tear down one of the foundational pillars of Internet governance itself.
IMO, the nuclear response is the correct one. If, after GDPR goes into effect, registrars drop WHOIS, the Internet as a whole should drop all domains from that registrar from being visible anywhere outside of Europe. If they don't want domains to have to identify their owners, they can feel free to create their own little ultra-anonymous hell, cut off from the rest of the world. If they want the rest of the world to be able to see their websites, keeping their contact information up-to-date publicly is one of the requirements.
More to the point, everyone who owns (rents) a domain name knows this. The GDPR was intended to prevent companies from using people's personal information without their knowledge or consent. No domain owner should be surprised by the fact that WHOIS exists or by the fact that his or her information is being used in this way, because it was made abundantly clear in the ICANN domain registration agreement that he or she had to sign prior to registering a new domain name.
Further, ICANN-based registrars typically even go beyond the requirements of GDPR by regularly reminding registrants of their contractual obligation to keep their information in WHOIS up-to-date, lest their domains be confiscated.
So either the people reading the GDPR are misinterpreting it grossly or the GDPR is a train wreck of a law that attempts to force the will of a whiny group of bureaucrats over the objections of everyone involved in Internet governance. If it is the first, then the registrars will ignore the GDPR with regards to WHOIS, and nothing will change. I strongly suspect that this is the case, and that this is all much ado about nothing.
That said, if it is the latter, then the right thing to do is to segregate the EU into its own private Internet until such time as it agrees to comply with the rules of Internet governance. Their choice.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Now, yes. This didn't used to be the case. Used to be you had one domain for your organisation and anything else went into subdomains. Now, of course, it's all "web address with extension" and even most webhosters are consummate idiots unfit for polite company, n'mind relying on for service.
Anyhow, breaking WHOIS to protect your "overwhelming majority" of people who have no business owning domain names in the first place, thereby depriving those who need it of a useful tool when it counts, I think of as a poor trade-off.