87 comments

[ 4.8 ms ] story [ 155 ms ] thread
I love the fact that "whois privacy protection" has become a free service now thanks to GDPR.
Nothing is truly free. You're paying for it in one way or another.
But you are not paying the same amount of profit, likely.
That's not how it works. Supply and demand is a bit more complicated.

To simplify though, services and goods aren't priced purely according to what they cost to produce. You're thinking "the cost of production is the same, but a source of secondary profit is gone, so they have to raise the price of domains to compensate".

But actually the price also depends on what people are willing to pay. And that hasn't changed.

In this case the cost of the service is close to zero, so it's virtually free. It was similar to phone operator charging for caller ID, an easy way to make a quick buck by flipping a bit somewhere.
Could you please explain how in the specific example discussed here?
As a German this rather doesn't make any sense to me. ICANN is not allowed to offer the whois service, but I have to publish my full address on my website according to German law.

How can this be?

ICANN is relevant for email-only.
If you're offering a service, then yes, you have to do that.
Last time I checked, I found out that you're providing a commercial service if you put a button for paypal donations on your website. I don't know whether this is how things are today but it lead me to believe that it is not so simple to decide whether or not you do need an Impressum.
Not all EU countries require that or have different rules around it (in germany only business-like websites require the imprint)
You only need to put an email address on your personal websites. If you choose to do business (which includes showing ads), you will need your full contact information on there.
> You only need to put an email address on your personal websites.

You don't have to publish any contact information on non-commercial websites.

You should do it anyways. If somebody can only reach you through lawyers, you will only get contacted through lawyers. This generates costs which somebody will have to pay, which might be you in the end.
> but I have to publish my full address on my website according to German law.

The E-mail address does not need to be your personal address, Lufthansa uses impressum_de@lufthansa.com and I don't see a reason why this would not be acceptable.

The postal address does not need to be your personal address, a business address is fine. Well, if you are a 1 person business run from home I am not sure. Go to court and have it tested up to the constitutional court, why Carsten Spohr (CEO of Lufthansa) gets better data protection than you do.

Yes, your real name has to be on a business web site. That's obviously the price to pay to run a business. As a potential customer wasting my money on fake service or otherwise suffering from a breach of contract, I think this is a good thing.

(comment deleted)
Because Governments can make laws but ICANN can’t? (GDPR explicitly exempts personal data that is legally required to be disclosed from protection)

Edit: actually after a bit more thought, it’s more nuanced than my somewhat glib response lets on (since there’s also an exemption for contractual obligations).

The answer is likely that a) the law hasn’t been tested in the courts under GDPR and/or b) the Government requirement has the additional test of providing a service, which may alleviate the privacy cost sufficiently.

Doesn't have to be your actual address, just one where you can receive mail.

Get a Postfach for a few euros a year, put it on there, and be done.

A postal box/postfach is not sufficient and that will definitely earn you a C&D. Don't do that. (21. Juli 2016, Az. 1 HK O 168/16 for reference).

The imprint requires an address that permits receiving legal notices (ladungsfähig), ie, an Address where you as a person can be found.

That's relatively recent then, but annoying.

In that case, shouldn't the trick via a UG (Haftungsbeschränkt) still work?

Well, even an UG (Hb) needs a business address which you will have to put in the imprint and to my knowledge you can't put a PO box as business address in the register.
> I have to publish my full address on my website according to German law.

Wherever there's potential for legal conflict, there's obviously a need to be able to find out who to sue. Same issue that worries the intellectual property rights lobbyists behind ICANN.

> As a German

Germany, additionally, is keen on knowing who to prosecute over free speech. Probably now an indispensable democracy management tool after having opted to give up on the "German" part of Germany in 2015, I don't see this going away any time soon.

which case do you refer to about prosecution over free speech?
Stuff about Nazis, I bet.

Saying "free speech" was a claim, in that talk about Nazis is regulated in Germany.

I also think the effect of this is absurd, but the logic is sound and it is unlikely it will change.

ICANN is illegally collecting protected data when requiring personal data for WHOIS without having any reason to do so, and that's the problem here, the conflict. But in the impressum, it is you that is releasing data, not someone collecting, and that is not conflicting with the DSGVO.

Maybe it would be possible to argue that Germany is collection that data de facto, or that it is illegally enabling illegal data collection by third parties, and suing the country for that in an EU court. But that is not a winnable fight, they'd argue that they are not collecting the data, and that there is a valid reason to force the release of the data.

Isn't ICANN collecting this data from registrars? I cannot recall myself entering my information on their website. I am sure a lot of people that buy domains don't even know about ICANN getting the data.
Registrars that are ICANN accredited are obligated to place all registrant data in escrow, so in effect, yes.
(comment deleted)
Because the law is poorly drafted, ill-conceived, and places the responsibility for protecting these data solely on third parties, who then do not have resources to determine if they are even allowed to do something that you already agreed to in another form (by providing the data, specifically for the purposes of publishing, as part of the necessary process of registering a domain).
You are not forced to host a website despite having a domain.
> It should have been obvious that the legislation would also impact the Whois service, which requires anyone buying a domain name to provide their names, address and personal contact details – and then publishes it all on the internet for anyone to see.

Even using "whois privacy protection", I've always anonymized my contact information. I've used a working email address, of course, so I can manage the domain. But there's no reason to provide a physical address or telephone number. I tend to use hostels and business hotels.

Also, while this will protect those registering or obtaining domains going forward, historical data is widely available.

> But there's no reason to provide a physical address or telephone number. I tend to use hostels and business hotels.

Except for that ICANN rule that if your information is incorrect, your domain name can go bye-bye at any time.

True. But I've never had that happen. And that's why I've used valid addresses and numbers. You mainly need to pass validity checks.

And for critical domains, you can just hire trusted third parties to manage them. There are law firms that specialize in stuff like that.

> But I've never had that happen.

Well, I guess that means it will never happen in the future either then.

> I've always anonymized my contact information.

So you've lied on the form. While this may have worked for you, it obviously cannot be the standard way. The law cannot be made on the assumption that users can just lie.

I get that. And changes in EU law are recognizing privacy rights. So people who care about their privacy no longer need to lie. Unless their threat models include governmental adversaries, of course.
I work in a registry which has whois obligations over number resources and I find this very troubling. I'm not going to say there is no right to privacy here, but I suspect states inside the EU will be seeking high privileged rights to information not in whois, come what may. So, this disempowers people seeking redress from harm as outsiders but doesnt stop state actors or lawyers or police.

Apart from my dayjob I have whois objects in DNS registries so i know there is the other side of the coin. I see the bad stuff from choosing not to hide my ID.

I'm fine with governments being the only ones who can view domain registration details. Heck, I'd be fine with nobody having access, forget the whole whois system: if the government needs to find who runs freemovies.example.net, they can ask (or subpoena) whoever was paid to register it (i.e. the registrar).

As far as I understand, the WHOIS system was made in the 80s when it was useful to be able to look and ring someone up. Literally everything was in beta on the arpanet, and direct communication makes debugging a lot easier. But it's 2018, and I do not want 4chan to be able to look up my home address in that system. That creates more mayhem than it's worth by far.

Thinking about what use I ever had from the whois system, I guess it's only abuse email addresses for IP addresses. And I hear that people make use of the registration date of domains to calculate spam scores. Neither of those require the registrant's private information to be in there.

Problem is, some domain and number holders have no incorperated body: they hold the resource as a private individual. Hard to formulate consistent data law around WHOIS when its both people, and corporate entities.

I was in the WHOIS as was from SRI-NIC. I kept GM85 in my current nic-hdl for resources as a memory of the days gone by: they even published a paper copy of the listing.. the phone book of the internet, how .. quaint.

Yes, the protocol is designed for days gone by. but the GDPR laws apply to RDAP, even though it has HTTPS and could in principle use Oauth or similar to constrain whats shown to open access.

I don't understand the problem. You say the problem is that both individuals and companies register domains, but why should the info of either be visible in a public database?
So that people who are seeking redress can find who holds the resource. That's what whois is mostly about: redress. I'm not trying to defend that against peoples rights to privacy I'm observing there's a significant community of interest in "who did that" if you don't believe that's necessary then you win with GDPR. If you do, then the masking means you cannot know, but lawyers and judges and police and governments can.
> some domain and number holders have no incorperated body: they hold the resource as a private individual

whois has been useful to me in the past for finding out whether a DNS name is held by the foundation/company/trust/whatever or if it's held by a private individual who set up the foundation/trust/whatever. When a whois lookup shows a certain private individual listed as owner, admin, and tech contact for some DNS name, then I can know the foundation is a sham created to make it look like the open source product is community controlled, when in fact it's really just one narcissist pulling the strings.

I say keep the whois service as is.

> I'm fine with governments being the only ones who can view domain registration details.

Which governments, where, and at what time? North Korea has a NIC, so does Eritrea. Should the dictator of Eritrea have more privileged access to your WHOIS information than somebody who could actually give you a productive tip? (i.e. "Hey, your mailserver keeps trying to relay this message, which is not destined for where it's being routed", or "a host under your domain is ICMP flooding my IoT gateway, maybe you have an unwanted access on your hands"). I've used WHOIS productively in the last year, and WHOIS proxies work to get your address off the registry, I just don't think that the actual owner of the domain (you, domains by proxy, etc.) should be permitted to register a domain without somebody being directly responsible for its behaviour in some way which is a step before a civil suit (which seems to be the only way your system would work). You need an address for your corporation as well, it's mostly the same idea.

There is no reason that domain providers will be incapable of providing a contact point and you were always able to put a separate email inbox on WHOIS.

But there is no need for a full postal address of real email addresses that people might use for personal contacts or a real name. That just leads to more abuse.

Same for phone numbers.

> There is no reason that domain providers will be incapable of providing a contact point and you were always able to put a separate email inbox on WHOIS.

The registrars have an interest in not delivering requests for sale or even abuse reports, because it's likely that they will result in the domain either being decommissioned or moved to another registrar.

I have no problem with the former but they do have incentive for the later as not delivering the abuse reports will lead to the domain being decommissioned because it's on every spam and blacklist ever.

WHOIS Privacy Services have been doing exactly this for a long time and they are usually paid by the domain registrar.

I think that problem is more imagined since there doesn't seem to be this problem in the real world.

> WHOIS Privacy Services have been doing exactly this for a long time and they are usually paid by the domain registrar.

Yes, but crucially they are not the domain registrar, and that's because this was already a problem.

And then what is the problem with continuing this but reinforcing this business structure? Because shitty registrars could now be more shitty?

Honest and good registrars don't have a problem with WHOIS services, you claim they would since the emails they forward could lead to lost sales.

The WHOIS service is just as incentivized to filter out certain mails since they are paid by the registrar and thus get profit of sold domains.

It seems to me that ICANN came up with a plausible interpretation and the pushback from the regulator should be a wake-up call to those who naively claimed GDPR was reasonable and no big deal.

I think it makes a lot of sense for a domain registrar to keep basic information in the long-term, about who registered what. I find it odd that this has become a point of contention.

Then require registrars to do so legally. They probably already are in many cases, due to long-running storage requirements for business documents (e.g. they probably keep "we billed Mr. X for example.com on $date, and he paid using the credit card on file" for many years).

Less clear why ICANN needs to store that data too, I think it's right that they should have to properly justify that. ICANN has made up rules however they liked forever and ignored warnings about privacy for over a decade, and about GDPR specifically for years, so I have to admit I have little compassion for their self-created problem here.

Sure, but why should that information be public?
Did you read the letter [1] that was linked in the article? It is much less hyperbolic than the article makes out.

Paraphrased:

Yes, of course you can keep registration data for your own legitimate usage. Contact information for the lifetime of the domain is fine.

Storing it for 2 years after expiry is not necessarily problematic, but you need to document why you legitimately need it.

You can't make private contact information public without consent.

However, you can disclose it to 3rd parties who make a legitimate request, but you should record the request.

[1] https://regmedia.co.uk/2018/07/05/edpb-icann-whois.pdf

It also sets up peculiar legal fictions, i.e., it is ok to keep contact info for 'legal' persons, but not 'natural' persons and if the 'legal' contact info hints indirectly about a 'natural' person, that's a violation, unless, I'm sure a series of other conditions and legal fictions are satisfied. The 8 pages are dense with impenetrable legalese, and the message essentially is that ICANN is not allowed under GDPR to fulfill its mission of publishing the identities of website owners to the public. That is not a reasonable position, from a US perspective. Why is only a government inquirer allowed to know such things automatically, why must my request as a member of the public be logged for ICANN to fulfill it? Is that actually beneficial to 'privacy' or a derivative GDPR minefield?

GDPR is a negative development for openness, tranparancy and interconnectivity.

I can explain it simply to you. Only the personal data of flesh and blood human beings is protected. So contact info is protected if it is the direct email of a human being. If its a huge faceless corporation and the email is just "legal@.." it is not protected. Saavy?

Well its certainly beneficial for privacy. There are very few social media sites in the world where publishing other people's contact details without their permissions is allowed. Its banned here. Its banned on Reddit. And a ton of other sites. There is really very little difference.

How would you feel if all HN submitters had to list a personal phone number? Why is running a website any different?

Whois is not about that at all, it’s about offering that information to the public at large.

GDPR does not limit the collection of data that has a legitimate business use as long as it is used for that business use only and removed when the use no longer exists. Otherwise how could you do billing?

I can't even find what the ICANN proposed in the article. (The article contains little more information than the headline does by itself.) What interpretation did the ICANN come up with that you think is reasonable but is still not GDPR compliant?
I'm the author of this piece. I considered writing a full policy breakdown but figured people would get bored very quickly.

Plus, things keep moving so fast (almost arbitrarily sometimes) that I wonder whether it's worthwhile. Fundamentally, the issue is this:

US intellectual property lawyers are very well organized and have the backing of big corporations. As a result, they have a disproportionate influence in US organizations - in this case, ICANN.

With each new proposal, each new rule, each new policy, these (very smart) IP lawyers find ways around it to suit their main goals. And because ICANN, unfortunately, has no moral or ethical center, it tends to bend its own policies to accommodate whoever is the most powerful and/or loudest on any given issue. In this case, the American IP lawyers are very driven to retain the existing system.

But in this particular case of Whois they have come up against a brick wall of decided European law.

And they have been trying to find ways around it, pressuring ICANN into a series of policy positions that are very clever but can't go anywhere because the law is settled.

Plus the data regulators are the people in charge of deciding how it is interpreted. And they, naturally, have a fairly strict interpretation of GDRP.

It's worth noting btw that European governments have often ignored the data regulators in favor of their own corporations (just take a look at the whole Privacy Shield debate). But in the case of GDPR, the data regulators are in the driving seat. At least for now.

So I could give a detailed rundown of what ICANN has proposed, and how it has changed, and how it is going to change again. But in truth it doesn't matter - ICANN and the IP lawyers will try on any new interpretation they can think of to get what they want - access to the contact details of every domain name - and they will discard any or all of them as soon as they no longer further that goal.

What's really happening is that ICANN has, for the first time, hit a situation where it doesn't get to decide for itself what happens.

As such this Whois/GDPR process is shining a spotlight on the dangerously flawed policy-making process of this critical organization where it keeps insisting on transparently bad policies, keeps putting forward arguments that don't make sense, and keeps trying to bend its own processes to fit with a pre-determined conclusion.

And the Europeans look at it, say No, and the whole facade comes crumbling down. And that is causing massive temporal dissonance at the organization in charge of the internet's naming and numbering systems.

That's what this article is about. And it's unlikely to be the last.

Very nice summary. And I think, like other noted, that these IP lawyers are a legal consumer. The rest of us however, are screwed. But the be fair, what legal reason we have, which would not be enforceable under law (similar to ip topics)? The GDPR ensures that the data streams are justified and in consent with the owner of the data.
> ICANN and the IP lawyers will try on any new interpretation they can think of to get what they want - access to the contact details of every domain name - and they will discard any or all of them as soon as they no longer further that goal

Well then I'm not surprised, if they keep coming back to the point where information is public... no matter what additional things you think of, if the fundamental issue is not solved, I cannot see how it would ever be compliant with any privacy law (either GDPR or even the DPA from 1995).

The article speaks about "the critical Whois service". Can anyone tell me what it's critical for? I can think of two reasons:

    - abuse contact info
    - registration date
(The latter is used in spam score calculations, I've heard.)

Neither of those are the registrant's private information. I don't understand why we're pushing to have private data in a public directory in the first place. (I never understood this, but being young, I first registered a domain around 2008, long after it was common to ring Joe from USAF up because their FTP was down.) The registrar has to store it for billing anyway, so if a domain is used for something illegal, the police can get at the info anyway...

Exactly my thoughts, if Whois can die in the process, it won't be missed by anybody. It's been useless at its purpose since the early 2000's at least. There's no point in keeping it, GDPR or not... I can't even think of a non-spam application these days.
Sometimes I want to email the domain owner to see if they are interested in selling their domain. I don’t see this as spam personally because the emails are always bespoke and “hand written” making a specific case. What would you advise be done in this situation instead?
If the domain owner doesn't provide an email on the website reached through the respective domain itself it's probably a signal that they don't want to be approached.

So ideally, in case they don't provide an email, one would not do that.

I have purchased a number of websites from individuals who have had a private Whois or no means of contact listed on their website. It requires a significant amount of sleuthing but the point is these people all sold their sites anyway. You may not ever be actively looking to sell but it’s short sighted to not provide a means of contact for an asset that has value and can be sold.
You might find it short sighted, but that does not mean that people shouldn't have a choice.

I get offers for my domains, all unwanted.

If I at some point decide to sell one of those to one of them, all the cold approaches from the past don't suddenly get legitimized.

edit: as I'm writing this, I remember that this is quite similar to the selling of social media IDs. Some random crypto start up decided that they should try to bully me to sell them my three letter Twitter handle. Really annoying.

The same reasoning should then apply to everything you own: there should be an organization forcing you to put your email address or phone number on your car, on your house, ... Even if you have no plans to sell those assets, let people contact you if they want to buy them (or help you sell them).
My county assessor's office maintains a database of property owners in my area and their contact information. They have a convenient website where I can access this information at any time.

My state department of motor vehicles maintains a database of vehicles registered in the state and the contact information for their owners. While they do not have a convenient website for querying this data themselves, they make it available to third parties in bulk, and I can obtain individual records for those third parties convieniently using their websites.

Both these databases are mandated by my state legislature. So it seems the same reasoning does apply.

One difference is that the state also provides title to these assets, with all the legal protection that this does (or does not) imply.

Another difference is that this contact information does not, AFAIK, include recipient-paid [1] contact methods such as mobile phone (including text) and e-mail. Also, methods such as phone are generally considered far more intrusive that, for example, paper mail.

[1] nowadays this is mosty nominal, but we're not quite at zero

> If the domain owner doesn't provide an email on the website reached through the respective domain itself it's probably a signal that they don't want to be approached.

Not true. Many people don't realize the value of what they have. And/or they won't see a message because of spam etc (could argue that this happens with whois also but generally the more clues the better).

Note that with physical real estate it is often purchased by someone wanting a property that has no sale sign. Also (per my other comment) there are many people who don't know the value of what they have.

So it's not a signal at all in many cases (I have over 2 decades of first hand knowledge of this btw.)

Besides it all comes down to price. You may not want to sell your house but if someone comes to offer you 3x what you paid you might listen to them. You may 'not want to sell' for what the market price is. Selling prices for domains are all over the map.

If it's important enough, I guess the registrar could be used as relay.

But I do see your point. On the one hand, I'd suggest an optional "reach the owner" part of whois, where one could list a physical or digital address (doesn't even have to be email, I sometimes list social network presence on "about" pages as contact method for unimportant sites, to prevent spam). But on the other hand, we already have a place where you can optionally put your contact details: the very website we're talking about. And there you can apply any anti-spam measures you want, which you cannot do if it's in a public directory somewhere.

I think it's fine if people have to publish their contact info themselves.

> If it's important enough, I guess the registrar could be used as relay.

If the registrar is in the middle, they have a considerable interest in failing to deliver sales inquiries, because they will tend to lose out on them. Same with certain types of abuse inquiries. The registrar has a conflict of interest with most forms of legitimate inquiry on a domain. If the registrar allows unfiltered messages, or messages whose content is entirely unknown to the registrar, then you're back to square one, because the end address ultimately has to filter the spam.

Trivially solved by a postalesque method.

Simply write delivery into the contract, and require fees paid to the registrar from any party sending mail through the service (i.e. stamps).

Critically, if one were going to do this, allow the domain owner to black hole all communication via this path if they're not interested.

Write to {info,admin,webmaster}@...
I would say most domain owners don't have any of that setup. So any emails sent to any address at that domain will fail to send.
It's absolutely critical for network engineers.

Think figuring out who a given prefix belongs to, what routes are advertised by an AS, what BGP communities does an AS honor, how to contact an organization's NOC ...

(yes, whois is for more than just domain names)

I didn't know that this was part of WHOIS, I thought separate services such as BGP looking glasses provided this. And other organizations (IANA and RIRs iirc) hand out AS numbers and prefixes. But even if it were part of WHOIS, then this is non-personal information which should be fine to list in a public directory.
These decisions don't touch upon the listing of corporate information. Unless a private person operates an AS, this is not an issue for the things you mentioned.
Presumably that doesn't entail saying "you must provide your true mailing address, name, and phone number or we yank your domain". A working email address should be all that is required, at most.
Intellectual property attorneys have fought the most to keep whois data public and accurate.

Those who buy and sell domains are another group who are annoyed that it is no longer public. They can easily solve the sell-side issue but when they want to buy a domain, if the owner is not specifically trying to sell it then it becomes more difficult to get ahold of them to make an offer.

This is exactly true. (And it makes sense given who you are. I remember your name from the formation of ICANN btw.)

However I will add something else.

If it becomes hard for people/companies/startups who want to buy domains (.com as you know is all that typically counts) (or for brokers etc) then there will be a shift away from .com because of that frustration. Right now people start perhaps with another TLD but once they get successful they try to get .com almost always. And that supports the market price of .com

So sure the big time people (who charge 'high' prices) will make it possible to be reached. However there is another tier that either forgets to put up contact info (or it's out of date on a web page that gets spam) or does not even know they have something of value. Those owners, if they can't be reached, will miss out. And the buyers would be more likely to then go for another TLD. Hence .com in general could loose value. [1] Not overnight but will happen.

[1] I both own domains (since 90's) and help people buy domains. This is actually my big concern with 'help people buy domains'.

I'd be perfectly fine with IP attorneys having to go through law enforcement to get the law enforced.

As for buying and selling a domain, I've commented on that in an earlier sibling thread:

> If it's important enough, I guess the registrar could be used as relay.

>But I do see your point. On the one hand, I'd suggest an optional "reach the owner" part of whois, where one could list a physical or digital address (doesn't even have to be email, I sometimes list social network presence on "about" pages as contact method for unimportant sites, to prevent spam). But on the other hand, we already have a place where you can optionally put your contact details: the very website we're talking about. And there you can apply any anti-spam measures you want, which you cannot do if it's in a public directory somewhere.

> I think it's fine if people have to publish their contact info themselves.

At https://news.ycombinator.com/item?id=17483637

I still call and expect calls as a domain admin, you shouldn't have to go to the police to get something resolved.

There are a bunch of people in this thread claiming that "WHOIS ... won't be missed" or "nobody uses WHOIS properly these days", and it just gives me the impression that a) they operate delinquent, abusive domains for which they receive calls or b) they think that because they haven't used WHOIS productively, they never will. You'll miss opiates when you're in pain.

For what kinds of issues do you call the number listed in the whois? I've never thought of doing that so genuinely curious.
Apparently enough phishers/spammers are actually dumb enough to not use whoisguard

https://www.recordedfuture.com/whois-gdpr-icann/

The reason that security researchers have had success with using WHOIS data is twofold. The first is that many attackers, even sophisticated attackers, have had poor OPSEC (operational security) when it comes to registering domains. A surprisingly large number of attackers simply didn’t bother to take steps to hide their identity or create unique, fake aliases when registering domains. Spammers were notoriously bad at hiding their identity, making it easy to identify newly registered domains as belonging to a known spammer and immediately adding it to block lists and real-time blackhole lists (RBLs).

Secondly, even attackers who realized their mistake and changed the WHOIS information of their domains after the fact, or added privacy services to the domain, were out of luck because certain companies, such as DomainTools, keep track of historical WHOIS data, and researchers could easily see the original WHOIS information.

My inner self is kind of in the 'watch the world burn' mode.

Given ICANN is a US based company, I believe they can terminate the contract with all European registries for unable to fullfill the terms in contract.