Will the EU Data Protection Regulation put Whois at risk?

The Whois database enables any internet user to identify domain name registrants. The future of this widely-used and sometimes controversial “public internet directory” is now uncertain, due to the new EU General Data Protection Regulation (GDPR). Some registries, such as AFNIC in France (which manages the .fr domain name), have implemented mechanisms to restrict the sharing of domain owner data. Should other countries follow suit? Should the protection of registrants’ personal data become one of the criteria for choosing a domain name, as important as choosing a memorable and SEO optimised URL? Let’s start the discussion.

With thanks to Yann Lequerler, a lawyer and domain specialist at OVH, and Marianne Georgelin, AFNIC's Head of Registry Policies.

How will the GDPR affect us?

The General Data Protection Regulation (GDPR), which was published in the Official Journal of the European Union in May 2016, will come into effect on May 25, 2018. This text harmonises data protection law across the EU, and will take precedence over a country’s national laws. To affirm its commitments to the GDPR, OVH has recently modified its General Terms of Service (see our article in French, in accordance with the CISPE code of conduct that was co-developed by OVH).

This European text is now becoming a key point on the agenda for large companies, as it represents a groundbreaking step in how personal data will be processed, establishing a much stronger framework than in previous national laws. Data protection impact assessment(1), data portability, gaining and withdrawing consent: The GDPR forces several companies, whether large or small, to make sure their processes comply with the new regulation. Organisations are, of course, keen to avoid the hefty penalties which are incurred if they breach the Act (up to 4% of the company’s annual turnover!), but they also want to provide further reassurance to their users, who are becoming increasingly concerned with the protection and use of their personal data.

Processing personal data as part of domain name registration: differences between the European and American concepts of privacy protection

This situation has given rise to a legal discussion between European domain registries, such as AFNIC, registrars such as OVH (the top registrar in France and the 2nd biggest in Europe) and ICANN. ICANN, the main Internet regulatory authority, manages the registration of top-level domains (gTLDs). This organisation is bound by US law and accredits registries, such as VeriSign (.com, .net), Donuts (which manages some of the new extensions such as .social, .media, .email, etc.), Affilias (.info, .pro) or even the City of Paris (.paris), as well as registrars (such as OVH).

A few of their contractual requirements, which need to be met in order to be accredited as a registrar by ICANN and to be able to sell gTLD extensions and new gTLDs, now appear to be inconsistent with the future EU law.

This includes sharing a domain name owner’s personal data (contact details) as part of the Whois service, which registries and registrars are required to provide(2). But that’s not all: transferring this data from the registrar to ICANN, via the registry and third parties, raises questions about unauthorised transfer of personal data outside of European territory, the retention period of this data, as well as the responsibility of each party: who is responsible for processing this information, and how are responsibilities shared in the event of a data leak, for example? Finally, the GDPR now requires that users are better informed about how their personal data will be processed, and what purpose it will be used for. This must be done before the registrar seeks informed consent from the user. In other words, aligning current practices with the new GDPR requirements is a huge task.

Why Whois is a problem

Whois is an open-access service, which provides information about the domain name owner: their name and surname, company (if applicable), address, e-mail, and phone number. This long-standing web service, created back in 1982, made it possible to record and identify anyone transmitting information through the ARPANET - the precursor to the Internet. Since then, it has been jointly maintained by all registries based on more or less uniform standards (RFCs), both in a spirit of transparency to which the pioneers of the internet were committed, but also probably because of the consensus around the need for such a service for different stakeholders in the network: registrars, legal authorities, trademark owners, creators of works protected by intellectual property, etc.

Whois is, by its very existence, a problem for the protection of individuals’ privacy. Publicly distributing identifying information, or even other information about domain owners, opens the door to the commercial exploitation of data without prior consent and, of course, to spam. Some companies have made a business out of extracting data from Whois at regular intervals, storing the content, then selling this information on with files based on the registrant’s likely area of business, according to the words contained in the domain name (the words appearing before the full stop and the extension).

While Whois obviously has legitimate purposes, such as trademark protection (using anti-cybersquatting or typosquatting services, or even through the Trademark Clearinghouse), some uses are more unexpected. For example, it’s possible to subscribe to alerts based not on domain names, but on their owners - meaning that your competitors could be notified when you register a new domain. Just so you know!

These services are exploiting Whois data by using a legal loophole, which the GDPR intends to fill. American stakeholders, especially ICANN, are yet to be convinced about the benefits of adopting a more protective model. Indeed, while anonymity allows a few people to register domains where they publish controversial content, anonymity is, at the same time, a guarantee of total freedom of expression. Cyber-bullying, which is an unpleasant experience in itself, can quickly turn into real-life harassment - for example, by targeting the owner of a website relating to a particular religious, sexual, or political community.

AFNIC: pioneering the restriction of Whois information

National extensions (ccTLDs), such as .uk, .de, .be, etc. are not contractually bound to ICANN in the same way as generic extensions; they are managed independently by the country itself. For example, in France, the non-profit organisation AFNIC has been appointed by the State to be the registrar of .fr and the extensions of some of France’s overseas territories, namely .re, .tf, .yt, .pm and .wf.

As it is only bound to ICANN by a mutual recognition agreement, In 2006, AFNIC was able to implement a data anonymisation procedure on Whois, which is applied by default to all private individuals (natural persons) who register a .fr, .re, .tf, .yt, .pm or .wf. domain.
On the record of your domain in the Whois directory, your personal details (name, address, phone number, etc.) are hidden. These details are available upon express and reasoned legal request to the ANFIC legal department and, under certain conditions, in what is referred to as removing anonymity status. Any professional contact details provided by the representative of a legal entity (owner, administrative contact, technical contact or billing contact, which can be the same person) remain freely accessible on Whois.

AFNIC’s practices have been validated by the French data protection authority (CNIL) and by a decision reached by the Paris Court of Appeal in 2012. They have proved to be precursors, as a number of other registries with national extensions have followed suit. This optional measure to limit the dissemination of personal data can now also be found when registering a .eu domain (managed by EURid) or a .cat domain (an extension created for Catalonia).

However: .paris, .alsace, .bzh, .corsica - or even .ovh, for which AFNIC acts as a Registry Service Provider, are generic top-level domains (gTLDs), not national extensions (ccTLDs). As such, these extensions are contractually bound to ICANN and the provisions of their agreements do not currently allow them to offer anonymity of the information contained about them in Whois. The options for restricting the dissemination of this information do not offer as much protection, as we can see below.

The limitations of privacy services for gTLDs

ICANN specifically oversees the management of gTLDs (.com, .org, .net, .ovh, .top, .pro, .xyz, .paris, .online, .mobi, to name a few of the best-selling domains at OVH). And the playing field is not quite level. While ICANN allows (but does not encourage) Whois privacy procedures, it does not allow complete anonymisation, even for individuals. Their first name(s) and surname(s) - that’s more than one name if the owner and the administrative, technical and billing contacts are not the same person - are, therefore, always displayed on Whois.

Some registries, while not resorting to restricted dissemination, have adopted interesting, but not entirely satisfactory, intermediate procedures. This is the case with the .amsterdam registry, which filters access to its Whois server by requiring that applicants enter into a service usage agreement. Finally, certain registries simply do not accept the registrars’ partial anonymisation procedures.

Therefore, when authorised by the extension registry, OVH offers a free optional anonymisation service (privacy service) for certain sections of Whois information: postal address, e-mail and/or phone number (this can be only selected for natural persons; legal entities can only hide their e-mail address). As part of our OWO service, OVH redirects your e-mails from a specially created spam-protected e-mail address, and forwards you any postal mail (for example, a letter of formal notice) - all without your contact details being disclosed at any time, or sold to anyone.
This service provides minimal protection, but does not guarantee either the owner’s anonymity or total protection against unsolicited marketing - because the crosschecking of data by third parties, while illegal, is not impossible.

A warning to those tempted to enter false information when registering a domain: deception can be expensive. ICANN performs regular checks and may request copies of documents from the registrar proving the owner’s identity...and it has full authority to request a domain suspension in case of fraud. In order to ensure the accuracy and validity of their information, every registrar is required to email each gTLD owner every year, requesting confirmation of the contact details that they entered during registration. Please also note that providing false information might put you at a disadvantage with the terms and conditions that you agreed with OVH when subscribing. The same applies to owners of a .fr domain, whose contact details are subject to over 25,000 checks per year by AFNIC and which registrars are also responsible for keeping up to date.

The “proxy registration service” solution still remains - paying a third party to replace your personal information with theirs in Whois. But this service is costly - in terms of the legal risks incurred by the person assuming the responsibility of being the owner. It has also already been contested in court, particularly by right holder companies for which these anonymisation procedures greatly complicate the appeals process.

What does the future hold for Whois?

The deadline for implementing the GDPR, in less than one year, will speed things up a bit. ICANN will, therefore, need to take the recommendations of European registries and registrars into account, which will be set up as a working group.
This group, in which AFNIC and OVH are represented, is now working to design a model that is acceptable to the various stakeholders, adapting ICANN’s practices to EU law. The discussions are sure to be heated and will focus not only on the Whois anonymisation procedures, but also on the entire life cycle of the data collected by registries and registrars. Where is this data stored, and how long is it kept after an agreement expires? Users will be able to find precise and satisfactory answers to questions like this, thanks to the GDPR.

This could well lead to a clarification on the different levels of personal data protection offered by registries to registrants. This may make choosing your next domain name a little more complicated... but, as you now know, it is for a good reason!

We will return to these debates and the issues at stake in more detail, especially during the AFNIC coordination committee meeting on October 12, which, on this occasion, will be open to everyone to discuss the GDPR and its impact on our businesses and our customers.

To be continued...

(1) The impact assessment is mandatory in the event of personal data being transferred outside of the EU or in operations involving risks.

(2) For some extensions, it is the Registrar’s responsibility to publish the Whois information. This creates a difference between Thick and Thin entries: for example, the <.com> domain is currently a Thin Whois, i.e., it is the Registrar’s responsibility to publish the Whois. This system is going to change - ICANN has published a new policy that will require all registries managing gTLDs to switch to Thick Whois. This means that the Registry will be in charge of publishing all Whois information.