Whois public database is in breach of GDPR, according to European authorities

Note that since the issue is GDPR compliance, this should only be a problem for registrants who are natural persons. So if Whois data were only collected and published for corporations, there shouldn&#x27;t be a problem.<p>I always felt uncomfortable having to submit my personal data, specifically: my address and phone number, and for it to be published like that (regarding domains where Whois protection services are not allowed). I can understand the motivation for this with regards to corporations and organizations, but what benefit is there with regards to natural persons?

A little-known fact: WHOIS is extensively relied on by spam fighters like Spamhaus to do their good work, which collectively saves all of us from an enormous tidal wave of spam that would otherwise consume vast resources. Internally, the anti-spam and more generally the anti-abuse community builds a huge and mostly real-time cross-referenced database of information about domains and IP addresses. This database would be impossible to build without WHOIS.<p>For example, if one domain shares the same contact email address as another, then the domains are related somehow. Doing some data mining on a variety of signals which are apparent in the WHOIS records can help to cluster related domains to help anti-abuse researchers find newly problematic domains by following the trail through WHOIS.<p>I&#x27;m not sure how researchers will do their job effectively without WHOIS. This development is truly a disaster for anti-abuse.

Whois is no longer such a good idea in this age of doxing anyway. I don’t know anyone who isn’t hiding their whois details and writing fake names and addresses.<p>I had the misfortune of using namecheap and entered my real details once. Their whois privacy didn’t apply to the particular gtld and I only found out once the spam arrived. Never putting any real details ever again.

&gt; From the article -<p>&quot;Critics point out that ICANN has largely brought these problems on itself, having ignored official warnings from the Article 29 Working Party for nearly a decade, and only taking the GDPR requirements seriously six months ago when there has been a clear two-year lead time.&quot;<p>&gt; From: <a href="https:&#x2F;&#x2F;www.icann.org&#x2F;resources&#x2F;pages&#x2F;what-2012-02-25-en" rel="nofollow">https:&#x2F;&#x2F;www.icann.org&#x2F;resources&#x2F;pages&#x2F;what-2012-02-25-en</a><p>&quot;ICANN was formed in 1998. It is a not-for-profit partnership of people from all over the world dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.<p>ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its coordination role of the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet.&quot;<p>---<p>Editorial: The disconnect is frightening.

One month to adapt? They have had two years. Also, I fail to see how this is a problem, considering that quite a few domains nowadays seem to use WhoisGuard or a similar service anyway.

It is always the same, a law is enacted and it includes a window of a few years to give everybody time to implement it. A few weeks before the law goes into effect, everybody is screaming that they need more time. I guess we don&#x27;t leave university after all.

Original blog post from Michele Neylon of Blacknight (registrar based in Ireland): <a href="https:&#x2F;&#x2F;blacknight.blog&#x2F;game-over-for-public-whois-article-29-gives-icann-the-advice-it-asked-for.html" rel="nofollow">https:&#x2F;&#x2F;blacknight.blog&#x2F;game-over-for-public-whois-article-2...</a><p>As an ex-customer, I&#x27;ve found that Blacknight are generally supportive of Internet freedoms and they do a lot to advocate the adoption of IPv6.

Why does WHOIS need someone&#x27;s phone number anyway? I didn&#x27;t have a phone number between 1993 and 1998 and I would have liked to have had a domain back then. (I almost did buy one, except they were too expensive back then.)

Interesting, I just queried the WHOIS records of a .im domain which used to display my personal information, but now it displays:<p><pre><code> This information has been redacted to comply with European Union General Data Protection Regulations (GDPR). Please contact us at info@nic.im if you have any further queries. Domain Managers Name: Redacted Address Redacted Domain Owners &#x2F; Registrant Name: Redacted Address Redacted [...]</code></pre>

Whois can perfectly have only technical data.<p>- domain expiry<p>- domain registration date<p>- nameservers<p>Everything else is not needed and as such would comply with GDPR.

It sounds like a positive policy to me, I don&#x27;t understand the backlash of the author of this article, personal details have no relation to domain names and I don&#x27;t see why they should.

I didn&#x27;t mind my info being in whois records. Until websites started hosting that info. And Google started crawling those websites.<p>There&#x27;s a big difference between your wife&#x27;s ex guessing your domain and running whois on it to find her home address, vs just being able to Google her name to find it.

Completely unacceptable response from ICANN. They don&#x27;t need a special exemption. Turn the service off until you can fix it. And they had plenty of time!

If whois is not public, how do I even know if I own my domain?<p>What if the company that I register my domain with just registers it for themselfes and when I have built a million dollar business on it, they sell it to somebody else?

I wonder if Companies House in the UK is also affected. I tried to get them to remove personal information a while back as it wasn&#x27;t a requirement for new businesses. They said no.<p>I supplied that information long before Companies House made it easily available.<p>I will try again after the GDPR is place.

Don&#x27;t see a problem. I don&#x27;t get why do I need to provide my full name, address and a phone number to register domain. What&#x27;s even worse is that someone can just look it up.

This will end WHOIS I think. It should provide interesting to see the side effects of abuse&#x2F;spam where they can&#x27;t be identified as easily anymore. On the flip side, mass IP demand letters will become much harder when you can&#x27;t target someone as easily.

It would be fun to compile a list of EU government websites that don&#x27;t comply with GDPR.

Why did ICANN require &quot;thick&quot; whois data from registrars?<p>Ms. Jelinek&#x27;s letter suggests that collecting this user data , possibly for the benefit of various &quot;stakeholders&quot;, was outside the scope of ICANN&#x27;s charter.<p>Why was it a requirement for ICANN-approved registrars to collect and share this user data? What was the rationale?

I get so much SPAM from WHOIS, email, phone, and texts. My hosting service wants to charge me to anonymize it.<p>Twisting ICANN&#x27;s arm to hide this information is desperately needed.

Absurd. Users &quot;consented&quot; when they signed up for a domain. Don&#x27;t like it? Use a whois service to anonymize.

So block Europe from all DNS. Simple.

nobody mentions namecoin?

Pity this is flagged. It&#x27;s hacker relevant, the Register is a well regarded technology site, and I&#x27;d rather a plain speaking title with some mildly rude words than some Vox clickbait.

Wow, this is the first time I&#x27;ve seen a [dead] article on the front page. Not sure I understand the front page algorithm. Vouched, of course, as it&#x27;s definitely newsworthy to hackers to know that the law is potentially going to shut down the whois service.

First ... they came for ICANN, and I did not speak out.

Yikes, GDPR is a well-intentioned shitshow. It&#x27;s trying to graft new requirements onto something that was never designed to support them. And it looks like it is going about as well as trying to slap multiplayer on top of a hoary old single-player game engine.

Correct move :). ave Evropa

I hope ICANN will get a huge penalty for continuing their whois service after end of May.

I really don&#x27;t see why DNS records should be in the purview of the GDPR. I also think they are not public enough. It can be hard to contact people. Information is outdated, false or just hidden. Usually being able to call the person responsible for a domain and say hey your email server has relaying enabled and pushing out a lot spam gets them to fix it.<p>I can understand person not wanting to put their address, but I say phone, email, name and points contact should be necessary. It is a public system after all.<p>Spam can be a problem as well, but these records do serve a purpose. They also are important for ownership of a domain if a dispute was to arise.