The GDPR will probably kill WHOIS as we know it.
If you tried registering a domain during the last couple of years, most likely you’ve been flooded with hundreds of spam and scam emails about web designers, SEO experts and whatever professional role the web invented. This is just one — maybe the smallest — problem related to the privacy of the WHOIS system. And now, one of the oldest and basic service of the Internet, may be demolished by the new European Regulation on Data Protection.
What is WHOIS?
I expect the reader to already know how web domains work, so I won’t go in details explaining the system; however, it might be useful talking about the WHOIS service. This can be seen as nothing more than the address book of the Internet: every time someone registers a domain (I will limit this post to the generic top level domains, gTLDs, aka .com, .net, .tech etc.), his or her data (also its, but companies are not part of the issue here) are added by the Registrar (the company that sells you the domain) to the WHOIS registry, a worldwide public log of every domain. Everyone can easily consult the registry and find information (name, last name, address, email, telephone number) about any individual who owns a domain, for free, on several websites that offer this lookup service. And here comes the privacy issue, but let’s introduce ICANN first.
ICANN and 2013 RAA
The ICANN (Internet Corporation for Assigned Names and Number) is the organisation that manages everything fundamental about the Internet: DNS and domains are the main things completely managed by this multistakeholder institution that, until 2017, had been more or less dependent from the U.S. Department of Commerce — you can read more about the story here. What is important to know is that ICANN stipulates agreements with other companies and organisations that provide end users with domain-selling services. This is done with the Registrar Accreditation Agreement, updated in 2013 (2013 RAA), a contract which obliges all registrars to validate customers’ data and add them to the WHOIS registry. Any failure will constitute a breach of contract, as stated in the 3.2.1 clause of the 2013 RAA
3.2.1 As part of its registration of Registered Names in a gTLD, Registrar shall submit to, or shall place in the Registry Database operated by, the Registry Operator for the gTLD the following data elements: …
The same agreement takes into account privacy and mandate the Registrar to provide the customer with a proper notice, obliging the former to request consent for this data processing:
220.127.116.11 The Registered Name Holder shall consent to the data processing referred to in Subsection 18.104.22.168.
This is, in my opinion, an unfortunate choice by who wrote the agreement because now, with the new European General Data Protection Regulation (GDPR), consent is not an easy beast to face — and, contrary to everything is in place now, it should be the last resort as legal ground for processing.
GDPR and consent
If you’re reading this post, it is likely that you have a background on privacy and data protection. However, in a really simple way, GDPR sets 6 different legal grounds on which data processing could be lawfully based:
- Performance of a contract;
- Compliance with a legal obligation;
- Protect a vital interest;
- In presence of a public interest;
- In presence of a legitimate interest
and of course
- when the data subject has given his or her consent
I put consent as last point here but, unfortunately, it is the first one enumerated by the GDPR. Unfortunately, again, because, even though it represents the most common legal base, it is also the less reliable. Several conditions are attached to the consent (Article 7) and those raise the issue with the current WHOIS system. First of all, the controller (in this case, the Registrar) should be able to demonstrate that the customer has given his or her consent and that its request was given separately from the rest of the contractual agreement, in a “intelligible and easily accessible form, using clear and plain language”. Even if I have serious concerns about the Registrars’ compliance with this two points, I truly believe that a good work of user experience would solve the problem.
What can’t be solved with a modification on how the agreement is accepted by the customer is indicated in the points 3 and 4 or Article 7, namely where it is stated that consent can be withdrawn at any time, easily as it was given and it must be freely given, meaning that it can’t be a condition for a contract.
The .amsterdam and .frl case
As told by The Register (perfect name for this story…), ICANN warned FRLRegistry B.V., a Dutch registrar, to be in breach of contract when not proving the entries for the WHOIS registry after a new domain registration. The Registrar’s lawyers argued that the contract clause with ICANN is against the law — the GDPR — and thus invalid. And, in my opinion, they are right.
Indeed, the real issue is that in the case of the contract between the Registrar and the customer, this has no choice about the consent he or she gives about the data processing. Authorising the publications of his or her data in the WHOIS registry is mandatory in order to get the domain registration completed. This is a clear example of how consent can’t be legal ground for the processing and it is actually invalid. In order to be lawful, the customer should be able to choose to not to consent to the publication of the data and get anyway the desired domain.
There is a structural change that should be made to the WHOIS registry in order to comply with the consent mechanism set out by the GDPR: the public availability of the domain owners’ data should be totally voluntary and anyone should be able to make them private anytime they want.
Are the other legal basis for WHOIS useful?
No, and ICANN knows. In October 2017, the Swedish law firm Hamilton sent a memorandum to the organisation listing the several possibilities provided by the GDPR and the related issues that may arise. Here is, point by point, what can be used or not for the processing of the customers’ data; according to my opinion, the publication of the data in the WHOIS registry lacks of legal ground and thus there can’t be compliance with the GDPR as it is currently designed.
Just one more thing before going in the details: there is no doubt about the application of GDPR to the WHOIS registry, as it falls precisely into its material and geographical scope. ICANN has the role of controller since it determines the purposes (WHOIS public registry) and the means of the processing, indicating to the Registrars which data collect and how to do it. It might be the case that the Registrars could be controllers as well, but they are for sure processors.
- Performance of a contract
The second option provided by the GDPR for a lawful processing is when
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
When providing services to customers, this is the legal ground that should be preferred, due to its reliability and clarity. Unfortunately, this clause can be used only partially in this situation. What should be noted indeed is that the contract that can set the basis for the processing should involve the data subject as a party. The 2013 RAA is yes a contract, but signed between ICANN and the Registrar. Customers’ data can be processed for the purpose of the contract with the Registrar, as long they’re necessary to provide the registration service. This can of course include the communication of owner’s data to the WHOIS registry, but there is no way it can authorise the publication of them.
- Compliance with a legal obligation of the controller
Not even this justification can be use to publish data online. Controller in this case is ICANN an the organisation is not bounded to any legal obligation to public disclose domains’ owners’ data. Moreover, it would be interesting to understand the subject which can impose legal obligations to ICANN, since this is the main point of discussion about the organisation and governance of the Internet.
- Vital interest
I think it’s clear enough why this point is not related with our discussion.
- Public interest
Here, it can be argued that there are possibilities for the controller to process data “for the performance of a task carried out in the public interest”. Indeed, it might be required, for example, for police investigations, to have a registry with domains’ owners’ data. However, I am not arguing the existence of the WHOIS registry but its public accessibility. Therefore, if the public interest can be a solid legal ground to collect and store customers’ data, it can’t be useful in order to publish them on the open Internet.
- Legitimate interest
This is for sure the more controversial and debated legal ground for processing: it can be used, for example, for direct marketing purposes by a company that collected data for other purposes (Recital 47 GDPR). However, the legitimate interest must be weighed against, and override, the fundamental rights and freedoms of the data subject, and this is up to the controller to demonstrate (Recital 47). The controller ICANN could have several reason to justify its processing, like administrative reasons, investigate fraud, consumer deception, intellectual property violations, etc. But this is again not enough to justify the publication of data online. On the insufficiency of background for this specific case, the Hamilton firm wrote perfectly:
Although it can be argued that each of the usages listed above could qualify as a legitimate interest, it must, in relation to the weighing against fundamental rights and freedoms of the data subjects, be taken into account that the Whois data is currently being made available to the general public, in large quantities and that the data can be used for other purpose than the ones listed above or otherwise intended, with very limited means of control for the controller.
Last point: the right to object (Article 21 GDPR) gives data subjects the possibility to stop the processing of data when it’s based — among the others — on legitimate interest. In this case, the same issue as with consent withdrawal arises.
As I’ve shown, there is no much left for ICANN to maintain the WHOIS public registry, when falling in the scope of the GDPR — all the activities carried out by ICANN outside of the EU, that have nothing to do with EU data are still ok.
The only basis that can actually be used is still consent: but this require a big transformation of the whole WHOIS system, switching it to a complete optional service to which new customers can opt-in. Data can be lawfully collected and stored by ICANN but they must remain private, accessible by third parties only when there’s enough ground, as provided by GDPR. Using Hamilton’s words
“ there is no quick and easy way for moving forward with the Whois services in their current form”.
In the last years, for several reasons — not last the increasing amount of automated spam — a number of registrars started to offer privacy services related to new domains: the customers give his or her data to the registrar that works as a proxy and add its information in the WHOIS registry. The concept of proxy registration is explicitly provided by the 2013 RAA — even though contained in a clause that should’ve expired and has been extended to 1/01/2018 — and usually is given behind payment to the customers.
Two are the main problems with this service:
- As I just said, it’s not free. If you looked at this feature with the lens of the GDPR, you would see customers paying in order to obtain something that should already be included in their rights. In other, simple words, customers are paying to stop an unlawful behaviour.
- This service is not available for every domain. Moreover, it basically depends on the will of the registrar, that can choose not to offer the proxy registration. For example, on .us and .in domains, privacy is not allowed
Last clarification: I only discussed gTLDs because for country code domains (ccTLDs) the system is slightly different, since different kind of parties are involved, like national organisations. This led to the fact that some countries already decided to implement privacy by default on their registries. You can find a list of these countries here.