Jeremy Greenberg

When Push Comes to Shove: ICANN’s Interim WHOIS Solution

The Internet Corporation for Assigned Names and Numbers (ICANN) is a nonprofit organization responsible for maintaining the WHOIS protocol.1 The WHOIS protocol is a tool for retrieving information about the registrant of an internet domain name—including information such as the registrant’s name, phone number, address, email, and technical and administrative contacts—by querying databases controlled by registrars, such as GoDaddy and HostGator.2 The ability for anyone to retrieve the personal information of domain name registrants using the WHOIS protocol directly conflicts with the EU General Data Protection Regulation (GDPR), which will be fully enacted on May 25, 2018.3  Because GDPR enforcement is just around the corner, ICANN is rushing to implement an interim solution in an attempt to balance customer privacy rights required by GDPR with cybersecurity, law enforcement, and other uses of the WHOIS protocol.

GDPR will forbid companies from sharing EU customers’ personal information without explicit permission from customers, while giving customers the right to remove personal data at any time.4 These privacy protections will apply to domain name registrants’ personal information retrievable through WHOIS queries.5 Therefore, GDPR will substantially reduce the amount of personal information that can be pulled from WHOIS queries.6 Because law enforcement, security researchers, and others rely heavily on WHOIS data for cybersecurity, law enforcement, and IP enforcement,7 the new privacy protections will make it exceedingly difficult for these parties to carry out their essential duties.8 ICANN’s interim solution to this conflict, known as the “Cookbook,” implements an accreditation/tiered program, granting certain parties like law enforcement, security researchers, journalists, and IP enforcement a special carve-out to GDPR rules in order to access WHOIS data while denying other unaccredited parties.9

The exact details of what this accreditation/tiered-access model will entail are still under consideration,10 and most details surrounding the interim plan remain vague and unsettled. But, despite the late hour of its efforts and a lack of clarity, ICANN is performing its due diligence in implementing a temporary solution that balances privacy and security concerns. ICANN has held working groups, such as at the recent ICANN61 meeting, to bring together various stakeholders including government representatives, IP managers, academics, business managers, and domain name managers from around the globe, in order to hash out ICANN’s interim solution.11 Additionally, ICANN has shared its plan with the Article 29 Working Group (the advisory committee for GDPR), which noted the progress of the interim plan and its willingness to continue to work with ICANN to generate a solution.12

Though ICANN has opened the door for analysis, comment, and scrutiny of its interim plan, this does not mean that all stakeholders are on board with the proposal. Consumer privacy advocates, such as the Electronic Frontier Foundation (EFF), are critical of the accreditation/tiered model because they believe that ICANN should not have the authority to act as gatekeeper for who can access registrants’ data.13 Additionally, EFF views the need for ICANN to create a special carve-out for law enforcement as derivative, because law enforcement can already use the power of subpoenas, warrants, and court orders to obtain customers’ information.14 Moreover, should a database housing registrants’ data be located outside the United States, the U.S. can enter treaties with the foreign nations to obtain this data for law enforcement or national security purposes via court order.15 Beyond that, with the recent passage of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), the process of law enforcement entering into treaties with foreign countries to obtain data will become even easier and codified into law.16

Though EFF’s argument regarding the derivative nature of a carve-out for law enforcement has merit, a carve-out is still necessary to ensure that security analysts, journalists, and IP enforcers have access to registrants’ data otherwise guarded by GDPR data protections.17 In fact, even without the impending privacy protections of GDPR, some variety of carve-out or exception was already needed to reflect the changing landscape of the domain name system and the WHOIS protocol. For example, it has become increasingly difficult for security researchers and others to obtain domain registrants’ information because sophisticated registrants have implemented proxies, such as a software called Ascio,18 to maintain anonymity.19 In cases where registrants’ information is shielded behind a proxy, security researchers cannot access data needed to fully mitigate malware attacks, and journalists cannot access data to obtain contact information for potential sources.20 Additionally, both ICANN and registrars, such as GoDaddy, have limited bulk queries of registrants’ information to prevent spamming from bad actors. However, security researchers rely heavily on bulk queries to perform cybersecurity functions.21 A carve-out would allow accredited parties like security researchers to access this data in bulk, while keeping out bad actors.

Ultimately, the impending enforcement of GDPR is forcing ICANN to make long overdue decisions, at least in the interim, regarding who can access WHOIS data. Though the details of the interim plan remain a mystery, and a long-term plan could be years away, ICANN’s initial efforts to rectify the longstanding conflict between privacy and cybersecurity show a willingness to compromise, while serving both interests.

GLTR Staff Member; Georgetown Law, J.D. expected 2018; Ithaca College, B.S. 2009. ©2018, Jeremy Greenberg.