GDPR: Limiting WHOIS Can Make Pirates Harder to Find

16 April 2018


The General Data Protection Regulation is coming into effect next month and it will change the current system for protecting the personal data of EU citizens. Following that, the WHOIS database will be limited – which concerns anti-piracy groups.

The main goal of GDPR is to protect EU citizens from online abuse and breaches of privacy. It applies to all companies processing their EU subjects data, no matter where the company is located.
There are severe penalties for non-compliance – from 4% of annual global turnover to 20 million euros; whichever is greater. That makes it a serious matter.

It will greatly affect domain name registries and registrars who publish the personal details of domain owners in the WHOIS database, which is public – with a full entry listing an organisation’s name, address, telephone number and email addresses.
The issue that arises here is that registries and registrars are obliged to publish data in the WHOIS database by ICANN (global domain name authority).

ICANN has been trying to resolve the clash – but since they only determined it would affect them in October 2017 – they have been rushing to find a solution since then. They have proposed a model of GDPR compliance which makes registrars continue collecting WHOIS data in full, but not publishing it to the public.
This raises a concern – it will have a serious effect on the ability to protect intellectual property rights from “cybercriminals”.

Groups like Copyright Alliance, MPAA (Motion Picture Association of America), IFPI (International Federation of the Phonographic Industry), RIAA (Recording Industry Association of America) and dozen of others – sent a letter to the Vice President of the European Commission warning that restricting their access to WHOIS will affect their ability to protect their rights.

The EFF, on the other hand, says that being able to contact a domain owner wouldn’t necessarily require an email address to be made public: “There are other cases in which it makes sense to allow members of the public to contact the owner of a domain, without having to obtain a court order, but this could be achieved very simply if ICANN were simply to provide something like a CAPTCHA-protected contact form, which would deliver [an] email to the appropriate contact point with no need to reveal the registrant’s actual email address”.

What do you think about the GDPR and WHOIS confusion? Is it going to help us retain our privacy, or help grow cybercrime? Let us know in the comments below.