What is going on with WHOIS?
ICANN President and CEO, Göran Marb recently laid out three models for how to change WHOIS in order to bring it into compliance with GDPR. “Model 1” would apply only in the European Economic Area (EEA) — the area affected by GDPR. This model would withhold personal information from the public but allow access to anyone who self-certifies they have a legitimate interest in the data. This model is only a modest change from a completely publically available WHOIS since there is no verification mechanism to see if a party’s interest is indeed legitimate. For this reason, it is questionable whether Model 1 is GDPR compliant.
“Model 2” has received significantly more interest. It would create a layered system in which most data are non-public, but certain, predefined groups would be able to gain more access after a formal accreditation process. This proposed model has two variations: 2A, in which the new process applies only to the EEA, and 2B, which applies to the whole WHOIS system.
A Model 2 approach seems to be akin to ICANN’s ongoing efforts to replace WHOIS altogether with Next-Generation Generic Top-Level Domain Registration Directory Services (RDS) which will likely extend some kind of layered access to classes of certified users. The main drawback of implementing this model now is the clock: there is not enough time to thoughtfully complete and implement a fully developed and layered approach by the time GDPR takes effect in May.
That brings us to “Model 3,” which makes most data non-public and does not release it to anyone except to comply with a court order. This model most clearly complies with GDPR by closely tying access to the purpose of WHOIS. It would still allow the intended functions of WHOIS as a repository of data necessary for administrative functions, without making those data publicly available. Domain registrars need to be able to keep track of transfers of domain names and back up ownership records, but the registrars can do their jobs even if the data are not available to the public. Other interested parties, such as law enforcement, may want access to the data, but their goals must be considered separately from the purpose of WHOIS itself. Additionally, they would still be able to access the data if they get a court order. This model is supported by groups like the Electronic Frontier Foundation and the Internet Governance Project.
As a long term solution, Model 2B, in the form of a new RDS, is preferable as it will account for the legitimate interests of all parties without publicly disclosing everything to everyone. 2B is preferable to its model 2 counterpart because it to provides a uniform, international standard rather than carving up domain name policy along political borders.
We also should not rush the process; a slapdash layered approach to WHOIS would likely create more problems than it solves. Therefore, in the meantime, ICANN should work diligently to complete the new RDS and adopt Model 3 as a stopgap measure in order to comply with GDPR.
The intersection of WHOIS and GDPR highlights the ways in which Internet governance is increasingly bumping into traditional regulation by nation-states. If it ever was, the Internet is no longer a domain outside the reach of governments. It is still a global ecosystem, but, as in this case, global policy can be swayed by regulations in a particular region. Maintaining the legitimacy of private Internet governance rather than government intervention is likely to become an increasingly difficult but important struggle.