ICANN’s WHOIS Website Refused GDPR Extension

The US body that supervises the administration of domain names and the owner of the WHOIS website, has been denied an extension to comply to the GDPR.

Internet Corporation for Assigned Names and Numbers (ICANN) said the move will hamper law enforcement, journalism and cybersecurity services worldwide, since the WHOIS website is used by these three industries to check the legitimacy of websites links.

Earlier this month the body acknowledged that it would not be possible to obtain a one-year exemption from fines under the EU’s General Data Protection Regulation (GDPR).

GDPR conflict

WHOIS displays contact information for people and organisations that have registered domain names, but the way it operates is illegal under the GDPR, and could expose registrars and registries to crippling fines.

ICANN’s board met in Vancouver, Canada, earlier this month, and soon after the organisation published a revised version of its temporary specification for allowing registrars and registries to operate without conflicting with EU data protection regulations.

But the plan has not been approved by EU regulators, and the US government, which wants information such as email addresses to continue being displayed, has not given it the nod either.

And then last week ICANN filed a lawsuit against a domain name registrar in Germany, in an effort to clarify how the new GDPR should be interpreted.

ICANN filed the legal action against EPAG on 25 May, the same day as GDPR came into force.

Too slow

But at least one security expert believes that ICANN was far too slow to recognise the impact GDPR would have on its service.

“The public removal of personal information from WHOIS, the system used to store the registered users of website domains, undoubtedly makes life for security and law enforcement agencies much harder,” explained Andy Kays, CTO at Redscan, a UK-based cybersecurity services company.

“Whether fake or not, the information stated on WHOIS, can be invaluable for helping to trace and track the individuals behind attacks such as phishing and spamming,” Kays added.

“An accreditation scheme, that would vet access to personal data in WHOIS records for special interest groups such as the police, security researchers and journalists, would certainly be very welcome and help to address concerns,” he said, before lamenting ICANN’s poor preparation for GDPR.

“Planning to implement such a vetting system should have started years ago but by only recently attempting to outline its proposals, ICANN shows that it has been too slow to react to the global impact of the GDPR,” Kays said.

Can you protect your privacy online? Take our quiz!