In the weeks since my last update, a lot of behind-the-scenes work has gone on for our GDPR implementation project. One aspect of this project, which we can now share more specific information about, concerns changes to the Whois system. I also have some details around how collecting and processing data will influence both our Master Services Agreement and your own end-user service agreements (and we’ll share some recommendations on that).
Update: October 30, 2017
Before we dive into Whois changes, I want to go back to something that was mentioned in our initial GDPR post – to whom does the GDPR apply? At the time, we were proceeding on the basis of applicability by citizenship, meaning that the GDPR would apply to EU Citizens. Since that post went live, however, our legal analysis has led us to apply the GDPR based on location rather than citizenship. This means that anyone located in the EU, or buying services from a business located in the EU, would fall under the GDPR.
The Whois directory is a powerful tool. You can look up who owns a domain to find their phone number, email, even their postal address. You can check when a domain was first registered, where it’s hosted, when it expires — that’s a lot of information available with just a few clicks. And because this system has been around for so long, and is such a fundamental aspect of the internet, we often assume that how it currently works is how it should work. But just because something has been a certain way for a long time doesn’t mean it must always be that way, and the GDPR’s looming deadline has prompted the re-examination of many processes and policies.
Instead of “how have we always done this?”, we’re asking questions such as “what’s the best way to do this?”, “what information is it truly necessary to include?” and “is there a legitimate legal basis for this process?”
The GDPR was drafted and brought into law without consideration for its effects on the domain name industry, leaving us to interpret how this regulation applies to our world. One particularly impactful section of the GDPR is Article 5, which lays out “principles relating to processing of personal data.” This is highly relevant to the Whois system, which is essentially just a repository of data, much of which is personally identifiable information about individuals. Warning: we’re going to briefly venture into the legal thicket here, but bear with me!
Under the GDPR, personal data may be collected and processed only when there is a legal reason to do so. For example, one such justification would be the performance of a contract; another is a situation where the data subject (the person to whom the data pertains) has given explicit consent for their data to be processed or collected.
The principle of data minimization requires that the data collected be relevant and limited to what’s truly necessary to carry out the agreed-upon purpose for which the data is being collected. To add to this, the principles of purpose limitation and confidentiality limit the handling of personal data such that it cannot be processed or shared for any purpose other than that to which the individual initially agreed.
Simply put, under the GDPR:
- We can only collect the minimum amount of data necessary to perform a specific action (e.g. register a domain)
- Data can only be shared when there’s a legal basis to do so
- Data can only be shared when necessary to fulfil the intended purpose of the data collection
So how will this impact Whois? Well, it’s certainly difficult to argue that there’s a legal basis for openly sharing contact details of a domain’s owner, administrator, or technical contact in the public Whois record. And we can’t claim that it helps to accomplish the original purpose for which the information was collected (registering the domain). This means that the public Whois system as it exists today is incompatible with the principles of data privacy that the GDPR affirms.
All that being said, the GDPR recognizes that there are times when there is a real, justifiable need for a third party to obtain personal data, such as domain ownership information, and these “legitimate interests” are also provided for within the policy. Think about, for example, an intellectual property lawyer who wants to know the owner of a domain in order to submit a trademark dispute, or a law enforcement officer tracking down the people behind a phishing scheme; they should be able to find out who owns the domain name under investigation. We need some way for Whois information to be provided to the people and organizations who have a legitimate reason for requesting it — but one that doesn’t involve publicly exposing this sensitive data by default.
A New Whois
This leads us to one of the biggest domain industry changes prompted by the GDPR: a gated Whois system.
Not all parts of a domain’s Whois record constitute personal data. The registrar information, initial registration, last update and expiry dates, domain status, and nameservers will all remain publicly available as they are today.
The registrant information — name, organization, address, phone number, and email — is personal data that can no longer be published in the public Whois. Instead, we plan to provide authenticated access in a specific and limited manner, so that those with legitimate reason to request personal data can access the information they require while the privacy of individuals remains protected.
Here’s a snapshot of what these changes may look like:
Don’t worry — this basic user data will still be visible to resellers through the Reseller Control Panel. As we work out the legalities, which will include updates to our Master Services Agreement, we’ll keep you updated.
Do we still need Whois Privacy Protection?
While the GDPR only applies to EU-local individuals, there are data privacy and protection regulations in many other places around the world, which render a public Whois highly problematic, if not unlawful. With this in mind, what we know for sure is that we will no longer be able to publish personal data for any EU-located individual in the public Whois. What remains an open question is if we will continue to publish personal data for registrants based outside of the EU; we don’t yet have a final answer on that, and we’ll work through this issue over the next few months.
Even if the public Whois does “go dark”, it is certain that there will still be a need for a gated Whois, where registrant data will be made available to parties with a legitimate interest. That may include Law Enforcement, the Security community, Intellectual Property lawyers, Aftermarket providers, and Certificate Authorities, among others. So, while the audience for registrant data may no longer be the entire public, it will still be a large audience. This is where Whois Privacy comes in — if privacy is active on a domain, the personal data in the registration record will still be protected from those with access to the gated Whois.
Now, there will always be the occasional, ostensibly savvy registrant who’s tempted to simply supply false information, seemingly avoiding the need for Whois Privacy altogether. This is something we would never suggest. For legal reasons, ownership disputes being one example, it’s important that the domain contact information be accurate. Additionally, the registration agreement that all domain owners accept as part of registering a domain through an OpenSRS Reseller confirms that all information provided will need to be accurate, current, and reliable. These are ICANN imposed conditions, and registrants risk having their domain suspended or cancelled if these requirements are not met.
Will GDPR-protected registrants need Whois Privacy Protection?
Whois Privacy still presents benefits for EU-locals, even though their information will no longer be displayed in the public Whois database. As we mentioned above, the gated Whois will still be accessed by a range of accredited users, and Privacy protection will limit the data that is available to them. Additionally, the special masking information that we display for domains with Whois Privacy will continue to appear in the public Whois, instead of generic “Data protected” output. This means that people looking to contact the domain owner can still do so via the privacy service email that is displayed in the Whois.
The need to segment Whois output based on GDPR applicability adds significant complexity to our plans. We’re working on creating a clean, straightforward solution, allowing us to extend the GDPR’s data protection and privacy benefits to all domain owners, while continuing to meet our contractual obligations as an accredited domain name registrar. Thus, our current approach remains in progress, and may be more restrictive when implemented. This is an ongoing, community discussion, so please bear with us—plans may change, but we’ll do everything we can to keep you informed and updated.
Reseller Changes Coming in the New Year
All this talk about new restrictions on data processing and collection, and the various process changes they entail, brings me to my final point: how will it all impact you, our resellers? In the lead-up to May 2018, we’re doing as much as possible on our side to minimize the changes you have to make on yours. But despite all our best efforts, there will inevitably be things you need to do as a reseller.
This involves another (even briefer) journey into the legal thicket. According to our interpretation, OpenSRS is a data controller (we determine “the purposes and means of the processing of personal data”) for specific data elements: registrant first and last name, organization, email address, and country. This is all the information we require in order to enter into the registration agreement with the domain owner. For all other data elements (e.g. address, phone, and fax numbers, among others), we are simply a data processor. The difference here is that we are handling this data on behalf of either the registry or the reseller, without actually requiring it ourselves. For example, we don’t need a registrant’s physical address to provide them with a domain name, but you may require it for billing purposes. Various data requirements will also exist at the registry level. As a data processor, we store and transmit this information on behalf of both registries and resellers, and in order for the exchange of all this information to occur, it must be covered in a GDPR-compliant agreement.
To that end, one thing that is definitely coming is an update to our Master Services Agreement — we need to add some information around what we require as a data controller, as well as the changes mentioned earlier, which will remove any concern around resellers accessing clients’ personal data in the Control Panel.
As a reseller, you’ll want to work with your own legal team to review your customer agreements and work through any changes that may need to be in place before that May 25th deadline. We’ll also have some recommended language for resellers to include in end-user service agreements, so stay tuned.
Next month’s GDPR update post will focus on how we plan to request consent from individuals for the use of their personal data. Until then, we’ll continue working hard on our implementation. As a reseller, you can use this time to seek your own legal advice, and think about what information you’re collecting from customers — how does it align with the GDPR’s principles of data minimisation, purpose limitation, and confidentiality?
You can wrap your head around the basics, and find helpful context on our GDPR page. Our previous blog post also highlights some fantastic resources that outline emerging GDPR best practices. And finally, we encourage you to sign up for our GDPR newsletter so you don’t miss a thing!