Learning

GDPR and WHOIS Privacy

Anthony Eden's profile picture Anthony Eden on

In 2018, the European Union's General Data Protection Regulation (GDPR) went into effect. The most significant impact on the domain industry from GDPR is the changes to ICANN's (Internet Corporation for Assigned Names and Numbers) policies for WHOIS information. ICANN, domain registries, and domain registrars reacted to GDPR by introducing a new policy requiring redaction of personal information, thus changing the landscape of domain registrations.

GDPR and Its Impact

The most significant impact of GDPR in the domain industry is on how registrant data is handled in the public WHOIS. WHOIS is a protocol that all registrars must implement. It is used to provide information about a domain to the general public. WHOIS has historically been a treasure trove of information about anyone who registered a domain. In response to problems with spam arising from publically available information, as well as the risk of public information being used to harass or harm domain holders, domain registrars started offering WHOIS privacy long ago. WHOIS privacy allows a proxy entity to present their information in the public WHOIS, while the proxy maintains the original domain holder information in secure, private storage.

A Bit More on ICANN Policies

The Temporary Specification for gTLD Registration Data is the document that currently defines how registries and registrars must handle registrant data.

The temporary policy states:

For fields that Sections 2.3 and 2.4 of this Appendix requires to be "redacted", Registrar and Registry Operator MUST provide in the value section of the redacted field text substantially similar to the following: "REDACTED FOR PRIVACY"

and

In responses to domain name queries, Registrar and Registry Operator MUST treat the following Registrant fields as "redacted" unless the Registered Name Holder has provided Consent to publish the Registered Name Holder's data:

Registry Registrant ID Registrant Name Registrant Street Registrant City Registrant Postal Code Registrant Phone Registrant Phone Ext Registrant Fax Registrant Fax Ext

For email addresses, the policy states:

In responses to domain name queries, in the value of the "Email" field of every contact (e.g., Registrant, Admin, Tech):

Registrar MUST provide an email address or a web form to facilitate email communication with the relevant contact, but MUST NOT identify the contact email address or the contact itself.

The email address and the URL to the web form MUST provide functionality to forward communications received to the email address of the applicable contact.

Due to these requirements, registrars have taken measures to achieve compliance. In the case of our upstream providers, they are redacting all registered name holder data automatically. This is why you see REDACTED FOR PRIVACY in most of the fields in WHOIS when you register a domain through us.

The Impact on Domain Transfers

One impact of this change is that the gaining registrar during a transfer is no longer required to get a Form of Authorization prior to initiating a domain transfer. The losing registrar is still required to get a Form of Authorization, which is why you will receive an email asking for confirmation of the transfer when you request a transfer away from us.

If you want to transfer a domain into DNSimple, be aware that we will not send you an email at your current registrant email address, as it is not possible for us to acquire that information via WHOIS. You may still receive an email that you need to approve from your current registrar. Conversely, if you are transferring a domain out of DNSimple, you may still receive a transfer authorization email requesting your approval to transfer the domain away.

The Impact on Certificate Request Verifications

Another impact of the change in WHOIS is on SSL certificate request verification – specifically domain verification. Prior to GDPR, many certificate providers used the registrant email address from WHOIS as one of the email addresses to verify ownership of a domain.

With the redaction of WHOIS, the registrant email address is no longer visible, and no longer used as one of the email addresses for verification. You must now use one of the well-known email addresses supported by a certificate authority, such as admin@yourdomain or root@yourdomain, if you want to use email for domain verification. Alternatively, you can use DNS verification when supported by a certificate authority. DNSimple automates DNS-based verification with Let's Encrypt.

The Future of WHOIS

While it is uncertain what the ultimate fate of WHOIS will be, it is certain that personal information needs to remain protected – but authorized entities still need access to that data. For example, law enforcement officials around the world expect to be able to access registrant details for domain names in criminal investigations. Law firms and attorneys representing brands still need a way to fight trademark infringement. Domain holders who buy and sell domains still need a way to contact each other.

One possible solution is a new protocol that the registry and registrar community is adopting called RDAP (Registration Data Access Protocol). RDAP addresses many of the shortcomings of WHOIS, including data access control.

What Now?

The current direction of ICANN appears to be mandated RDAP support for registries and registrars in the near future. But for the moment, WHOIS is still alive and kicking, albeit with much less information than it had in the past. ICANN's temporary policies have provided a short-term fix for the redaction of information in WHOIS. A long-term solution is coming in the form of RDAP. Until then, there will still be lots of confusion around WHOIS and data privacy.

DNSimple has left support for WHOIS privacy in place for now, but even we do not know whether this feature will remain in the next year or two. For now our advice is this: research any TLD you plan on using to determine their stance on WHOIS data, and apply WHOIS privacy when it is available, as you see fit. For generic TLDs (gTLDs) like .com, .net, and .org, WHOIS privacy is not necessary at this time. The same holds true for new TLDs (nTLDs) like .app, .dev, and others. Your information will be redacted in these cases. For country code TLDs (ccTLDs) you will need to look at the policies for the TLD to determine their stance on WHOIS data.

For additional information on WHOIS privacy, and the impact of GDPR, view our Domain Privacy after GDPR support article. If you manage a large number of domains and need more help, contact us directly.

Share on Twitter and Facebook

Anthony Eden's profile picture

Anthony Eden

I break things so Simone continues to have plenty to do. I occasionally have useful ideas, like building a domain and DNS provider that doesn't suck.

We think domain management should be easy.
That's why we continue building DNSimple.

Try us free for 30 days
4.5 stars

4.3 out of 5 stars.

Based on Trustpilot.com and G2.com reviews.