Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
The Internet EU Government Privacy

Will GDPR Kill WHOIS? (theregister.co.uk) 215

Slashdot reader monkeyzoo shares the Register's report on a disturbing letter sent to ICANN: Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force... ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number. ICANN has already acknowledged it has no chance of doing so... The company warns that without being granted a special temporary exemption from the law, the system will fracture. ["Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law," ICANN warns.]
"ICANN had made the concept of a moratorium the central pillar of its effort to become compliant with the law," writes the Register. "But its entire strategy was built on a fantasy."

Thursday the EU's data protection advisory group told the site that there's no provision in the GDPR for an "enforcement moratorium", and the Register adds that the EU's data protection advisory group "is clearly baffled by ICANN's repeated requests for something that doesn't exist."
This discussion has been archived. No new comments can be posted.

Will GDPR Kill WHOIS?

Comments Filter:
  • But it may make it change into the need to access the registrar to get further information whenever needed.

    • Blockchain to the rescue!
    • by Joce640k ( 829181 ) on Saturday April 28, 2018 @12:19PM (#56519757) Homepage

      Let's hope so.

      At the moment the whois database is:
      a) A free mailing list for spammers
      b) An excuse for ISPs to charge extra for "private listings".

      If this law can change the situation then it gets my vote.

      • This.

        Be sure to register your domains with European registrars.

      • by lucm ( 889690 )

        An excuse for ISPs to charge extra for "private listings"

        Try AWS Route 53. $11 domains including privacy.

        It's best if you use your own DNS service though (or the one from Office365 or Linode) because otherwise AWS charges you $0.50/zone per month.

        • by Khyber ( 864651 )

          "Try AWS Route 53. $11 domains including privacy."

          And when that domain is found to be conducting illegal activities? I guess Amazon would then need to be held responsible for aiding and abetting.

          • Actually no. When that domain is found to be conducting illegal activities, the police will show a court order to Amazon asking to identify the registrant.

            It is the same procedure that is used now to identify people based on their IP addresses. There is no public directory of IP address vs subscriber, however, if you post a bomb threat as a comment on some site, you may get a visit from the police anyway.

      • Re:Probably not kill (Score:5, Interesting)

        by Antique Geekmeister ( 740220 ) on Saturday April 28, 2018 @04:10PM (#56520749)

        Please allow me to disagree. The "free mailing list for spammers" is for data that is typically already accessible by many other means, all of which are already in use by spammers.

        Also note that most domains are not legitimate. Most are owned by domain squatters. In particular, they are owned by Network Solutions, which pre-registers all unused domains that are looked up from their servers, including their "whois" services and held hostage to prevent the people who sought the domain from registering it anywhere but through Network Solutions. The practice is sometimes known as "domain frontrunning", but I would certainly qualify it as cyber squatting. Network Solutions, and the domain registrars for the more than 1000 current top level domains, can do this without paying any fees for the 4-day holding period.

        Other sources of fraudulent domains, eased by current policies, are fomain squatting for fraud. It's been useful to be forced to provide valid contact information, since a business owner can be contacted and served with a court order to cease operations, and a fraud can be reported for fraudulent contact information and get their domain canceled. It's also been useful to contact domain owners to notify them of network or service difficulties that are otherwise difficult to report: "send me email" or "go to the website" does not work when the site's DNS service has failed for any reason, or web servers are down. I've certainly used it that way and it's been invaluable to reach business partners in the middle of the night, when even their own alert system is disabled by a network issue.

  • by Anonymous Coward on Saturday April 28, 2018 @11:45AM (#56519591)

    i wonder if icann was getting kickbacks from godaddy and the like from 'private' registration fees.. and that was the reason for them dragging their feet here.. eu's new requirements all but kills that 'little' side business and profit center.

  • Do as Sweden do (Score:4, Informative)

    by therealspacebug ( 4922543 ) on Saturday April 28, 2018 @11:46AM (#56519599)
    Swedens domain .se does not show who owns a domain. If more info is needed you have to ask the register.
  • by FeelGood314 ( 2516288 ) on Saturday April 28, 2018 @11:55AM (#56519643)
    We may not need all the fields in the WHOIS record but there are many that are currently needed for the internet to function. I find it bizarre that the EU's data protection advisory group doesn't understand this and wouldn't create some sort of temporary provision to allow ICANN time to adjust. Their response seemed very arrogant.
    • by Zocalo ( 252965 ) on Saturday April 28, 2018 @12:17PM (#56519749) Homepage
      They've had two years since the GDPR was signed to law to prepare, and arguably *ten* years since the working group tasked with creating the GDPR first started outlining what they were going to propose to assess the likely impacts. ICANN have had plenty of time to "adjust" - and that other WHOIS providers around the world have adjusted is evidence of that - but chose to stick their head in the sand and claim it had nothing to do with them then, when it became obvious that was incorrect, to rely on something even their own legal counsel and contracted registrars told them was not going to fly. GDPR might be a vague legal quagmire for those that have to comply with it, but this, and the contractual mess it creates for their contracted registrars, is entirely down to ICANN's mismangement of the situation.
    • by Joce640k ( 829181 ) on Saturday April 28, 2018 @12:25PM (#56519783) Homepage

      I suspect the Internet will continue to function perfectly without my fake name, fake address and fake telephone number.

    • Nothing in WHOIS is needed by networks. Everything the networks need is in the DNS database.

    • Really? Which whois records are needed for the internet to function? I mean whois privacy is a thing for a long time now, it just costs extra. With the new law people won't have to pay extra.

      GDPR allows for the storage of personal data - as long as there is a valid reason to do so. For example, you run a repair shop and a client has brought his appliance for you to fix. You need the serial number of the appliance for warranty (not personal data) and you need the name and phone number of the client so you ca

      • GDPR isn't overriding all other laws. In the example you give, there are also laws for for keeping records. You would have to remove her from the customer database of requested, but the records on who did what for whom will love on in accounting.
        • The example was for warranty service. Under warranty, the money changes hands between the service center and the manufacturer, the customer is not involved in that transaction, only their appliance is. You only need the customer's telephone number so you can contact them when the repairs are one. You only need the customer's address if you plan on delivering the repaired appliance to them. You no longer need the information after the customer takes his appliance from you.

          But yes, if you do out-of-warranty s

    • by brunes69 ( 86786 )

      The group in charge of GDPR doesn't have the slightest idea how modern technology, software, cybersecurity, or the Internet in general works to begin with. If they did, then the GDPR would have been more sane.

      • The GDPR is put into place because way too many companies are abusing the privacy of people.

        It still has provisions to allow data to be used if it is properly anonymized. But the goal is to make it harder to have privacy-invading calls to individuals and abuse personal data.

  • their weight around and they couldn't.
  • by Artagel ( 114272 ) on Saturday April 28, 2018 @12:00PM (#56519667) Homepage

    Well, this is one in a long line of people applying for exemptions to laws because they are special. The usual answer is, no, you are not special. It isn't for the administrative apparatus to get rid of the law it administers, it is for the political body responsible for the measure to pass a corrective measure.

    Presumably one would have to contact domain name holders through their registrars without knowing who the registrant is. The system is not transparent, but it is private.

  • WHOIS is a joke... (Score:2, Insightful)

    by b0s0z0ku ( 752509 )

    I don't see major privacy implications. You can easily put a throwaway email address and a fake mailing address in your contact info, especially if you pay for the domain with a prepaid debit card. No one really cares.

    WHOIS is mainly good for the domain owner because:
    (1) Someone can contact them if they get hacked and the domain is being used for unsavory purposes like spam or phishing.
    (2) People offering to buy the domain can contact them. If you don't want the offer, don't reply.

    What's the big deal?

    • I don't see major privacy implications. You can easily put a throwaway email address and a fake mailing address in your contact info, especially if you pay for the domain with a prepaid debit card. No one really cares.

      Technically, it's illegal to do so.

    • I don't see major privacy implications. You can easily put a throwaway email address and a fake mailing address in your contact info, especially if you pay for the domain with a prepaid debit card. No one really cares.

      If you do this you can lose your domain. Some people don't want their information in whois records for multiple reasons including to protect themselves from physical violence.

      Paying extra to keep your information out of whois is the same as paying extra to keep your name out of the white pages. This is extortion. It also actively encourages people to use bogus information to avoid having their information out there.

      If everyone had a choice with no monetary repercussions whether or not to make their info

    • A lot of people use whois privacy service, even though most registrars charge extra for it.

      So, the registrars can just make whois provacy the default and no extra charge. They would probably be compliant with the law.

  • LOL (Score:5, Interesting)

    by matushorvath ( 972424 ) on Saturday April 28, 2018 @12:23PM (#56519773)

    We have been working on getting our software GDPR compliant for past 6 months, with a huge effort in both analysis and development. And these guys think they will just shrug it of by waiting until the deadline and then writing a letter to the point of "we can just ignore this, right?" I literally LOLed.

    That said, GDPR is complete nonsense, nobody will be fully compliant, and EU will not be able to punish everyone who is not compliant and will either have to ignore its own rules or amend them very soon.

    • Re:LOL (Score:5, Insightful)

      by AmiMoJo ( 196126 ) on Saturday April 28, 2018 @12:36PM (#56519819) Homepage Journal

      That said, GDPR is complete nonsense, nobody will be fully compliant, and EU will not be able to punish everyone who is not compliant and will either have to ignore its own rules or amend them very soon.

      The classic "respecting your privacy is too hard" argument. Sure, it will take some time for everyone to come into compliance, but that's only because things got so bad already.

      • The classic "respecting your privacy is too hard" argument. Sure, it will take some time for everyone to come into compliance, but that's only because things got so bad already.

        Exactly. I mean it's a huge pain in the arse in that you can't be lax with user data, just as it's a huge pain in the rse to pay taxes, file proper accounts and not pullute the local waterways.

      • I'm all for privacy, but GDPR will impossible to follow in practice. One of the big issues is the right to be forgotten. We are a company with 50000 employees worldwide, with tons of information systems that are not completely integrated. If you call and tell me you want the whole company to forget that you exist, I am somehow supposed to access an excel file on a shared folder in Thailand that somebody created 10 years ago and delete your address from it even though your name was misspelled or you changed

        • Does the excel file also have the credit card numbers of your customers?

          Under the new law you will only be able to handle my personal data for explicitly defined purposes, so, there will probably be a list of employees who can access my data and that list won't include "everyone in the company".

        • And that is also not required by the GDPR, you have to make a reasonable effort in order to remove the details, not a herculean effort. This is e.g why backups are not covered by the GDPR.

        • by pjt33 ( 739471 )

          In your scenario it sounds like 10 years ago the company was already in violation of the Data Protection Directive. The big changes are how serious the fines can be, not how you can store and use data.

        • by AmiMoJo ( 196126 )

          With 50k employees you must have someone who understands the GDPR who can explain why this isn't a real issue. In fact you should have been told by now anyway if it is at all relevant to your job.

        • That's not realistic and will not happen

          Prosecution for the example you posted is not realistic and will not happen either. The amazing thing about this example is that if you can't reasonably find the data it's unlikely that someone else will either.

          The law is pretty black and white and doesn't give participation awards for trying. But the reality is the application of the law will be directly tried to that effort.

        • by Cederic ( 9623 )

          So basically you're telling me your company doesn't control, track or understand the data it holds.

          That also means you can't properly protect the data subjects. Sounds like a big fine would be entirely fucking appropriate.

      • by brunes69 ( 86786 )

        Anyone who posts a comment like yours either

        (a) Knows nothing about how software and computers work in general

        (b) Knows nothing about GDPR

        (c) Has enough of an intersection of (a) and (b) that they are still very misinformed.

        GDPR is a total farce and complete nonsense. If you don't realize that, then you don't know enough about it.

  • Don't most people just pay for their info to be anonymised? Companies, organisations, companies, etc. should have to declare who they are and usually do on their website anyway.
  • Does this also spell the death of the SOA and RP records in DNS, since they also broadcast contact information?
  • The US government would have sovereign immunity to non-sense such as this.
  • Why should ICANN care?

    Not every entity in the world has to be complaint with EU law. Or US law. Or Chinese or Iranian law.

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...