The Internet Corporation for Assigned Names and Numbers proposed redacting some information from the WHOIS database...
in response to the European Union's General Data Protection Regulation, which began enforcement in May 2018. What would this mean for the records in the WHOIS database? Are there ways for legitimate information requests to be granted?
The European Union (EU) General Data Protection Regulation (GDPR) was adopted on April 14, 2016. Following a two-year transition period, it became enforceable on May 25, 2018.
Despite this two-year grace period, many companies struggled to comply in time, even with the threat of fines of up to 4% of their global annual revenues. This is partly because there are conflicting interpretations of what constitutes user consent and what types of data are covered. But, in addition, organizations have not appreciated the full extent of the changes they need to make to existing business practices and systems.
The reason that GDPR affects so many organizations is that it covers data processing outside the EU that relates to the offering of goods or services to individuals in the EU or the monitoring of their behavior. It applies to all personally identifiable information (PII) -- so from names, email addresses and location information to genetic and biometric data collected on people within the EU. It also puts sensitive information, such as sexual or political preferences, into special categories of personal data.
What's more, organizations must obtain "freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed." The nature of this consent is creating a lot of confusion amongst IT and legal teams as to how to best meet the demands of GDPR, and the Internet Corporation for Assigned Names and Numbers (ICANN) is no exception.
ICANN manages the global domain name system and is required to maintain timely, unrestricted and public access to accurate and complete WHOIS information, including domain name registrant, technical, billing and administrative contact information -- subject to applicable laws. The idea behind WHOIS is that it provides sufficient information to contact a responsible party for a particular internet resource who can resolve any issues related to that resource. This is why when anyone purchases a domain name, they have to provide their name and contact details.
To avoid any chance of a court deciding that this doesn't constitute "freely given consent" as "consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will," ICANN is considering redacting some personal information, including the name of the person who registered the domain, as well as their phone number, physical address and email address, from the WHOIS database.
Under the new system, registrars would collect all the same data points about their customers, yet limit how much of that information is made available via public lookups in the WHOIS database. However, this will create a big problem for many IT security experts and products and services like reputation-based security and anti-abuse systems that regularly use WHOIS to determine whether traffic or websites are legitimate, to identify attackers, to combat cybersquatting and so on. Even if the WHOIS information is fake, it is still useful for tracking cybercriminal activities, as the same fake data is often reused, which enables piecing together an attacker's fingerprint.
It may not be necessary for ICANN to redact this useful data, as the processing of personal data is lawful as long as one or various conditions are met, only one of which is the individual's consent. Any of the following clauses potentially legitimize the use of the WHOIS personal data:
- Article 6 c "processing is necessary for compliance with a legal obligation to which the controller is subject."
- Article 6 e "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller."
- Article 6 f "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party ..."
There are arguments on both sides: consent must be given freely and unconditionally on the one hand, while the internet is a public network and publicly available contact details for domain owners are an important requirement for its day-to-day operation. Hopefully, the EU and ICANN can come to a swift agreement on how best to satisfy the needs of everyone.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
What to know about personal data under GDPR
Dig Deeper on Database security
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading