EU privacy GDPR might restrict WHOIS information but Redl, U.S. lead, says it won’t happen.
There will be strong debate at the 10 March Puerto Rico March ICANN meeting, as both practical people and the security apparatus work to keep some information about who owns what public. Most of the pornographers and drug salesman already are anonymous, through a paid service offered by the registry folks. The new EU privacy rules may extend that to everyone, a further annoyance. (Note – almost all the reporting on this ignores that most of the miscreants already are protected.)
David Redl, the NTIA head who leads the U.S. efforts, says “the WHOIS service can, and should, retain its essential character while complying with national privacy laws, including the GDPR. … The U.S. government expects this information to continue to be made easily available through the WHOIS service.” My initial impression was that Redl support was wide, but an informed observer’s note suggests privacy has support as well.
“It’s much messier than that. Most (but by no means all) stakeholders are aligned with the first part of Redl’s statement. “Commercial” (but not contracted) stakeholders would agree with the whole thing. Many registries and registrars (particularly those in the EU) are taking a conservative/pragmatic approach in the short term, which may mean making a good deal of WHOIS information unavailable or only available after some sort of validation or accreditation process. In the long run, some sort of negotiated solution is likely, but there’s no time to get that done before May 25, 2018. Many noncommercial stakeholders (e.g., in NCUC) are very strong privacy advocates, and they think this is long overdue — not a mistake at all. Not only that, some would like (or at least not mind) privacy protections that are broader than GDPR requires, even if that only comes about because finding the boundaries between protected persons and unprotected persons is not easy. GAC, law enforcement and the anti-abuse/cybersecurity communities are fully aligned with Redl.”
The first step toward figuring out the control of a website is to check the WHOIS service, able on the net from most registrars. When you register a domain, you are obligated to say who you are and how to contact you. You then get a pile of spam wanting to sell you website building and other services, including how to reach #1 on Google search.
Dozens of lawyers have been working frantically to decide which loophole to use.
Redl’s comments, for context. “Today, I would like be clear — the WHOIS service can, and should, retain its essential character while complying with national privacy laws, including the GDPR. It is in the interests of all Internet stakeholders that it does. And for anyone here in the U.S. who may be persuaded by arguments calling for drastic change, please know that the U.S. government expects this information to continue to be made easily available through the WHOIS service.”