Why The Public Directory Of Domain Names Is About To Vanish

The WHOIS service has run into the legal landmine of European data regulation and highlighted the weakness of consensus-based internet governance in the face of the law.

Until May 2018, anyone could look up the name and contact details for the owner of a domain name. The Internet Corporation for Assigned Names and Numbers (ICANN), the US-based private company that coordinates internet domains and IP addresses, required companies that register domain names to collect and publish personal data in the so-called WHOIS service.

While far from a household name, WHOIS was widely relied upon by law enforcement and intellectual property owners to investigate and combat online crime and abuse. At the same time, privacy advocates and regulators have raised concerns (opens in new window) about the mandatory publication of every domain name holder’s name and contact details. These groups, each with their legitimate viewpoints, have been talking – sometimes shouting – past each other within ICANN for the past 20 years.

Then in May, the European General Data Protection Regulation (GDPR) arrived. The principles relevant to publication of WHOIS data were unchanged, but the GDPR’s big fines and long-arm jurisdiction captured the attention of the dominant US players within ICANN. Suddenly data protection became everyone’s problem, not just a quirky European wrinkle.

Despite warnings from several groups, the ICANN community as a whole failed to see the GDPR coming until a few months before GDPR took effect. There was a mad scramble to put in place a temporary policy that would be compliant with privacy laws.

On 25 May, the WHOIS 'went dark' –- all personal data was removed. Since then, ICANN has sued one of its own registrars in Germany for refusing to collect certain WHOIS data items. ICANN has so far lost at first instance (both on an emergency application (opens in new window) and full hearing (opens in new window)), then on appeal (opens in new window), and has failed (opens in new window) to obtain a reference to the Court of Justice of the EU. The German courts gave the status of ICANN’s consensus policies and contracts short shrift in the face of a European regulation.

In an effort to salvage a publicly accessible WHOIS service, ICANN has set up an emergency working group. The group is tasked to agree what, if any, registration data could still be collected and published on the WHOIS (company data? Non-EU data?), while a separate group is trying to agree rules to allow law enforcement and others access to non-public registration data. 

The emergency working group was due to make its interim recommendations by an ICANN meeting in Barcelona in October, but the meeting approaches, there is no sign of consensus.

Any policymaker will recognize that there are some issues on which multiple stakeholders will have incompatible, but legitimate views. In such cases, someone neutral has to step in to frame a solution which can reasonably satisfy all interests, without one side ‘winning’.

This approach is absent by design from the ICANN multi-stakeholder process, where policies are formed through consensus in a bottom-up process, and ICANN the organization assumes a passive role. The current temporary policy was only possible because the ICANN board imposed it, in an unprecedented break from tradition.

So, what will happen next? As is often the case with ICANN, the organization and its multi-stakeholder process is facing an existential crisis. Unable to solve this thorny policy issue for 20 years, ICANN’s latest group is unlikely to find consensus in the following days.

ICANN has lost in the German courts and the European Data Protection Board views with skepticism ICANN's claims that the interest of 'third parties' can justify continued collection and publication of WHOIS data.

Most public registers (like Companies House or the Land Registry in the UK) are required by statute, giving legal cover for their processing of personal data. There is no an equivalent in the ICANN world. ICANN has no ability to impose laws – it can only create 'consensus policies' which are reflected in contracts.

This may be a pragmatic way to achieve international implementation of policy, bypassing the dreary complexity of jurisdiction and international agreements. But consensus policies are informal instruments which, apparently, do not have the required status to offer protection or exemptions from the enforcement regimes of European regulations.

In recent years, intelligence agencies and law enforcement have consistently complained that the Internet is ‘going dark’. This narrative is part hyperbole and partly accurate, reflecting uptake of end-to-end encrypted applications such as WhatsApp, Signal and Telegram, adverse legal decisions in relation to the collection of bulk data, and stronger encryption available at the transport layer, such as TLS 1.3.

The WHOIS represented a small but strategic jump-off point for investigations, allowing law enforcement to look for patterns, or identify lines of enquiry. While the ICANN community struggles to find a way forward, yet another tool for law enforcement has disappeared.

Chatham House:

Emily Taylor is Associate Fellow, International Security at Royal Institute of International Affairs
 
You Might Also Read: 
 
EU Cybersecurity Act Could Impact Cross-Border Data Flows:
 
Russia Will Build A Separate Internet Directory:
 
 
« Can AI Be Used To Fight Crime?
Schoolboy Hacked Mock Florida Election Site In 10 Minutes »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Secunet Security Networks

Secunet Security Networks

Secunet is a leading cyber security company offering a combination of consultancy and products, delivering the highest level of security for data, applications and digital identities.

Malwarebytes

Malwarebytes

Malwarebytes provides artificial intelligence-powered technology that stops cyberattacks before they can compromise computers and endpoints.

VTT Technical Research Centre of Finland

VTT Technical Research Centre of Finland

VTT is the leading research and technology company in the Nordic countries. Areas of activity include cyber security.

Vuntie

Vuntie

Vuntie blend European craftsmanship, performance and open-source technology to deliver cybersecurity services including penetration testing, incident response, training and consultancy.

Synelixis Solutions

Synelixis Solutions

Synelixis Solutions is a high-tech company founded to provide complete telecommunications, networking, security, control and automation solutions.

CYQUEO

CYQUEO

CYQUEO is your professional partner and system integrator. We secure your organization against advanced cyber threats.

Lithuanian National Accreditation Bureau

Lithuanian National Accreditation Bureau

Lithuanian National Accreditation Bureau is the national accreditation body for Lithuania. The directory of members provides details of organisations offering certification services for ISO 27001.

SafeHouse Technologies

SafeHouse Technologies

SafeHouse is a cloud-based, high-end cybersecurity platform that can secure and insure any device that is connected to it.

YL Ventures

YL Ventures

YL Ventures funds and supports brilliant Israeli tech entrepreneurs from seed to lead.

PlexTrac

PlexTrac

PlexTrac is a cybersecurity reporting and workflow management platform that supercharges security programs, making them more effective, efficient, and proactive.

MoogleLabs

MoogleLabs

MoogleLabs leverage AI/ML, Blockchain, DevOps, and Data Science to come up with the best solutions for diverse businesses.

Marcum Technology

Marcum Technology

Marcum Technology consultants are focused on helping you reach your company’s full potential by exploring creative ways to integrate tomorrow’s technology into your business today.

Unified Solutions

Unified Solutions

Unified Solutions provide a full continuum of cyber security services, compliance, and technology solutions.

NexusTek

NexusTek

NexusTek is a managed IT services provider with a comprehensive portfolio comprised of end-user services, cloud, infrastructure, cyber security, and IT consulting.

Zenzero

Zenzero

Zenzero simplifies technology adoption and supports our customers through managed and outsourced IT support.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.