Will the General Data Protection Regulation
be the death of WHOIS?

What is WHOIS?

When the Internet was still in its infancy, rules were created which required the person registering a domain name to provide contact information to registering organization (i.e. "registrar") that would be stored in the "WHOIS database" and be made publicly accessible (Note: For the sake of clarity, "WHOIS" is not an acronym and is pronounced "who is"). This information was used to identify the contact person for the domain in case someone wished to purchase the domain or identify who to contact in case of a problem with the website or domain.

Domain registrars were and still are required to collect the contact information of registrars. Failure to collect and make the information available to the public may result in a lawsuit by the Internet Corporation for Assigned Names and Numbers (ICANN), the global nonprofit responsible for governing the Internet.

While law enforcement officials, researchers, and other users have legal and legitimate uses for the WHOIS database information, spammers and other nefarious actors have long used this publicly-available information to identify individuals at organizations to whom they can send spam email or other targeted attacks. Due to recent increases in spam emails and other targeted attacks, many users have accused the registrars of selling their contact information, and are unaware that the information is legally required to be publicly available.

How is WHOIS information used?

WHOIS information may be accessed by submitting a request to port 43 of a website. Legitimate uses of this information include determining who to contact in order to purchase a domain, investigating spam emails or illegal activity, and identifying the contact person at an organization for reporting issues with the website or domain can be done with a Whois Domain Lookup Tool. However, spammers are using "scrapers" to automate WHOIS requests and putting the information into databases that are used to generate spam messages or direct targeted malware attacks.

What is the General Data Protection Regulation?

The intent of the General Data Protection Regulation (GDPR) act is to protect EU citizens by making their information less publicly-available. However, every law has unintended consequences, and the effects of this law on WHOIS information has yet to be fully determined.

With the passage of the GDPR, the European Union (EU) has enacted a law that puts domain registrars in a difficult position: The registrar can either comply with the law by withholding WHOIS information and be in violation of their ICANN contract, or they can comply with their ICANN contract by providing WHOIS information and be in violation of the GDPR. ICANN has not yet released a complete statement or process regarding how domain registrars should handle compliance concerns.

Taking Proactive Measures

GoDaddy, one of the Internet's largest domain name registrars, has already issued a statement saying that they will begin masking some contact information from automated access points, such as WHOIS. The statement goes on to say that the WHOIS information is still fully available with a WHOIS Database download, but that it requires passing a CAPTCHA-based authentication process in order to retrieve it. Other registrars are waiting to see how it plays out before taking action.