back to article ICANN begs Europe: Please fill in the blanks on this half-assed GDPR-compliant Whois we came up with

After two years of failed policy work, ICANN has returned to Europe, dropped to its knees, and begged the continent to finish the rest of the DNS overseer's half-done Whois domain-name database so that it doesn't fall foul of GDPR. In a seven-page letter [PDF] to three European commissioners, CEO Goran Marby asked no less …

  1. Anonymous Coward
    FAIL

    Just junk it

    The WHOIS system is already pointless since anyone with any sense uses domain privacy, and only registers domains from registrars that offer it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just junk it

      I think it's reasonable and useful to have whois confirmation for domains owned by companies or organisations that the domain is actually owned by the organisation in question, and not by a squatter or phisher, but domains owned by individuals should be private and must not show address information.

      1. katrinab Silver badge
        Thumb Up

        Re: Just junk it

        Nominet got plenty of things wrong, as is well documented elsewhere in this site, but that is one thing they did manage to get right.

    2. Fazal Majid

      Re: Just junk it

      I believe intellectual property lawyers, governments and other self-important bodies have privileged access that may pierce the veil of WHOIS privacy.

  2. Claverhouse
    Go

    The Gordian Knot

    The EU should just do it for ICANN. ICANN wants them to do it, and anything the EU can do will be 10 X better than anything ICANN can do.

    1. A.P. Veening Silver badge

      Re: The Gordian Knot

      Are you aware that would result in a government IT project actually working? And even if that were possible, do you have any idea about the bill the EU would present to ICANN? That bill alone would wipe out all ICANN assets and future earnings for at least the next ten years, thus wiping out ICANN.

      .

      Oh, wait, I don't see any downside to that, do you?

    2. Psmo
      Trollface

      Re: The Gordian Knot

      Not the job of the EU, nor should the EU change the system for one company that hasn't got their compliance.

      ICANN has very few responsabilities, and this is transparently about some of their best buddies risking not being able to mine the data.

      Do the work, or budget for the fines.

      1. don't you hate it when you lose your account

        Re: The Gordian Knot

        This just smacks of delaying tactics. Definitely time to fine them.

        1. Glen 1

          Re: The Gordian Knot

          They "effectively shut down" whois in the EU, so are technically compliant.

          The paymasters are whining about it, but it looks like the EU is carrying the bigger stick.

          1. Lorribot

            Re: The Gordian Knot

            No they are not, just because they have no whois for EU domains does not mean that EU citizens data does not appear in other non EU managed databases.

            GDPR is about the data held on an individual not where that data is accessed from, who has access to it or where that data is held.

            1. Maelstorm Bronze badge

              Re: The Gordian Knot

              Then please enlighten me. If data on a EU citizen is held on a US server, by what authority can the EU enforce compliance with the GDPR? The last time that I checked, foreign laws are unenforceable if they conflict with local laws.

              1. Anonymous Coward
                Anonymous Coward

                Re: The Gordian Knot

                Think it's on the basis of the US company choosing to do business with an individual in the EU. If the US company then chooses to hold data relating to that EU customer then they need to protect it according to EU law. It's the cost of doing trade with anyone in the EU.

                Companies outside of the EU have two options, adhere to EU law in regards to customers from the EU, or stop trading entirely with customers within the EU. I believe the second option is in fact the one that some smaller US companies have chosen to take, where the small percentage of trade they do with the EU isn't worth the cost of compliance.

              2. Alan Brown Silver badge

                Re: The Gordian Knot

                The same way that USA long-arm statutes work in Europe for companies choosing to do business with Americans, that very same principle applies in the other direction

                Attempting to get GDPR long-arm jurisdiction thrown out would go very badly against any company which tried it in a USA court as it's essentially an attempt to overrule long-settled supreme court decisions

      2. Gordon 10 Silver badge
        Coat

        Re: The Gordian Knot

        @Psmo. You have hit the nail on the head. ICANN are just refusing to believe that they have to take their buddies snouts out of the trough, as that kills a nice non-GDPR compliant revenue stream.

        Only a whopping fine that wipes out their next 10 years profits will change their mind.

    3. Richard Jones 1
      Happy

      Re: The Gordian Knot

      ICANN has its home in the USA. So, the EU will need a contract to be drawn up by an EU lawyer at usual hourly rates. Drafting the agreements will then require hourly paid rates for their creation.

      Once the contract is agreed, signed and the initial money changes hands, could the east side of the pond start the contracted work for the west side, ICANN crew.

      Warning, as the west side crew have failed to date, the new documents will not be cheap.

  3. A.P. Veening Silver badge

    And ICANN’s credibility as a global policy-making body will fall one further step. ®

    Is that even possible after hitting rock bottom?

    1. Psmo

      It seems there was a large provision for shovels, picks and wheelbarrows in this year's budget.

      1. A.P. Veening Silver badge

        I'd say they need some diamond drills and high explosives as well.

        1. Anonymous Coward
          Pint

          A traditional tar pit would bury this ancient beast just as well, without additional cost.

          1. Strahd Ivarius Silver badge
            Devil

            It is a 15 min walk from their headquarters to LaBrea tar pits...

  4. Lee D Silver badge

    Okay, I'll sort this for you:

    You can store the personal details of those people for whom you have domain control in a jurisdiction (so Nominet can store UK personal details, but ICANN can't, etc. - it's almost like you have a naming authority in every country controlling the TLD, isn't it?).

    You cannot, without good cause, without prior permission, or without purposes like law enforcement, share that data with anyone else.

    There.

    Problem solved.

    It's literally that simple.

    Can I have that $9m a year now?

    WHOIS is a private, internal customer database that should not be queryable by random members of the public, through any proxy. Everyone who holds that data or accesses it is bound by the same data protection on it. So if you don't trust them not to publish it online or share with other people, don't give it to them.

    And the number of people who have an actual need to use it to contact people on personal details stored on the system are basically: The companies that supplied that info in the first place (i.e. the domain registrar who asked you to register a domain for them), or law enforcement. The former have the info. The latter only need it when they issue a warrant, which they could issue to the domain registrar. So why are you involved with storing it at all? You merely need store the registrar who took the money from the client and asked you to register it on their behalf.

    Just because you USED to rely on this being public to the world, and everyone know who owns every domain, including their home address and telephone number does NOT mean that it was ever compliant with basic privacy laws, or should continue in that way indefinitely.

    1. Steve K

      Good ideas, but...

      @Lee D - Good ideas, but Nominet.... really? On recent form, they will just try and monetise it too!

      1. Lee D Silver badge

        Re: Good ideas, but...

        Part of the cost of doing business is the cost of doing business compliant to the law.

        If they want to monetise it, they have to jump through the legal hoops to do so that they are trying to avoid.

      2. Graham Cobb

        Re: Good ideas, but...

        Nominet have no more rights to the data than ICANN. The entity storing the data must be the one with whom I have a contractual relationship (the name registrar).

        Of course, the name registrar has a commercial relationship with Nominet, which should require them to store the contact details and provide them only to a holder of an appropriate court warrant.

        Whois has mostly outlived its usefulness: anyone registering a name should have a free choice whether to provide full, limited or no contact information to whois. The commercial agreements should require that if the registrant decides to provide information to whois, it has to be accurate (no "mickey mouse") but there is no requirement to provide any. Some countries may require registrants from their country to provide certain information (e.g. UK companies might be legally required to provide certain contact details, other countries may have no such requirement). But this would be a requirement on the registrant, not the registrar.

    2. Anonymous Coward
      Anonymous Coward

      "You can store the personal details of those people for whom you have domain control in a jurisdiction"

      That's how it is already. This has nothing to do with the country-domains.

    3. Mike 137 Silver badge

      What's the real question re GDPR?

      How does ICANN's position differ from any producer of telephone directories? That's personal information too (and very similar in nature and extent) and anyone can gain access to a telephone directory as well. However telephone directories have not been declared unlawful.

      The real problem here is that ICANN was unable to choose an appropriate GDPR lawful basis and apply it in time for the Regulation coming into force, so they're obliged now to try for a retrospective kludge to get off the hook, and they clearly want the regulators to tell them how to do it. They probably won't, as that would be a conflict of interest.

      It would have been perfectly possible, just for example (although maybe not optimum) to distinguish between personal and organisational registrations and hide the former unless consent were provided at renewal time, or to make the publication of the data required on the basis of contractual necessity (probably a better choice) and hide all entries until renewal, when a new contract could be applied. And these are only two out of quite a few alternatives that don't seem to have crossed anyone's mind.

      However leaving critical tasks until too late is not unique to ICANN, particularly in respect of personal data protection, which no organisation seems to take very seriously until caught out.

      1. Ben Tasker

        Re: What's the real question re GDPR?

        > It would have been perfectly possible, just for example (although maybe not optimum) to distinguish between personal and organisational registrations and hide the former unless consent were provided at renewal time

        That's been proven not to be quite as simple as it sounds.

        Nominet tried that a little while ago, requiring that Whois details be public for "commercial" registrations. So they did an audit, turned records public and sent notifications.

        Lot's of people had their information (including home addresses) published without consent, or prior notice, because Nominet's definition of "commercial" was questionable. You've got adverts on your webpage, commercial

        Is it possible? Yes. Should we trust Nominet, or indeed ICAAN to do it without screwing it up? Definitely not.

      2. katrinab Silver badge
        Meh

        Re: What's the real question re GDPR?

        In the UK, listing in the telephone directory is optional, and increasingly few people are opting to be listed in it.

      3. Alan Brown Silver badge

        Re: What's the real question re GDPR?

        "However telephone directories have not been declared unlawful."

        Once upon a time in many countries, being "unlisted" in a telephone directory was an extra fee

        Then privacy laws came along and it was pointed out that listing people against their will was _unlawful_ AND that charging them to not be listed amounted to extortion, so telephone book publishers first of all dropped the "unlisted" fee and then realised they had to actually ASK to list individual account holders in the first place

        The result in both New Zealand and Australia was that phone book white pages literally halved in thickness over a two year period

    4. Rol

      My thoughts exactly.

      In fact it should be the de-facto way by which all personal data is stored - on a server in the country you reside in.

      If this doesn't become law, then what of your personal information when Google opens its first Moon based server? You know, in a jurisdiction that world governments and international bodies have no sway in?

    5. Maelstorm Bronze badge

      What good will fines do?

      ICANN is based in the US and operates under the Department of Commerce. They are not under the purview of the EU. So, with that in mind, what exactly will fining them do? It's a different country so they aren't going to pay it. If ICANN wants to play hardball, any registrar who refuses to run a public WHOIS database may get their contract, and their ability to register domains, revoked. I'm surprised nobody has brought this up yet.

      Unless of course I'm missing something, which I know I probably am. So, would someone please enlighten me?

      1. Lee D Silver badge

        Re: What good will fines do?

        The I stands for internet, which is a portmanteau of International Network.

        They have European stakeholders, pretty much the same amount of the world's market is in the EU as it is in the US.

        And when you "play hardball", all those European TLD's and their owners go walkies, set up their own naming authority, and if you want to resolve anything other than .com you have to use their nameservers, and if you want Europeans to come to your .com you better have a two-way relationship so they can query you the same way you can query them. Because 50% of your International market disappearing from the Internet hurts both sides, but a damn sight less if the organisation that replaces it is under the proper international co-operative control for an international organisation.

        In actual fact, what will happen is ICANN will kowtow because, if they don't, their reason for existing disappears and a new entity will form in its place that the rest of the world will acknowledge, and only the US will be using ICANN (because apparently they only want to play by US rules, right?). There's a reason ICANN are trying hard to comply. They wouldn't bother if they wanted to play hardball or thought the rules didn't apply to them.

        The WHOIS database is a really petty issue that is literally a no-brainer. Stop publishing it to the world. Problem solved. You can have it, you can share it in certain necessary circumstances, but stop letting anyone get that data. Literally Data Protection 101.

        But if ICANN doesn't want to play by the rules of the other 200+ countries that it serves, then it's going to have a really rough time controlling those members and convincing them that it's an independent, co-operative organisation.

        It's literally a standards organisation to make sure two countries don't use the same numbers or names, that's it. Professing that it should be unquestioned lord and master of all international data protection law to do that is really stretching its remit.

      2. Alan Brown Silver badge

        Re: What good will fines do?

        "Unless of course I'm missing something, which I know I probably am. So, would someone please enlighten me?"

        GDPR has criminal penalty teeth and any ICANN director setting foot in the EU doesn't want to find themselves the subject of an arrest warrant

  5. Anonymous Coward
    Anonymous Coward

    an issue that gets overlooked...

    As the owner of a domain name, in some circumstances l might prefer my ownership to be a matter of public record - just as my ownership of a UK limited company can be confirmed by a lookup at companies house, shouldn't we have that option?

    On the other hand as a scammer with a name like TE5C0.com trying to trick punters in to confusion with TESCO.com I'd be delighted with the "privacy" (which raises the issue of sloppy/non-existent registrant verification because the scammers just provide fake contact details anyway)

    1. Strahd Ivarius Silver badge
      Trollface

      Re: an issue that gets overlooked...

      Should law enforcement ask The Reg for your contact details now that you have confessed to be this infamous scammer?

    2. DavCrav

      Re: an issue that gets overlooked...

      "As the owner of a domain name, in some circumstances l might prefer my ownership to be a matter of public record - just as my ownership of a UK limited company can be confirmed by a lookup at companies house, shouldn't we have that option?"

      There is no directory of owners of limited liability companies. There is a list of directors of LLCs.

      There should also be a database of who owns web addresses, just like there are databases of who owns physical addresses. But I cannot find out who lives where at the touch of a button.

  6. Pascal Monett Silver badge
    Coat

    ICANN can sort it out quite quickly

    Just ask the German registrar that sent it packing what it is doing and copy that.

    I'm sure the registrar would be happy to help - for a small fee. Say, $9 million ?

    Mine's the one with a copy of the GDPR in the pocket.

  7. Doctor Syntax Silver badge

    Very simple. The name of any corporate registrant should be publicly available on whois complete with contact information for appropriate roles (not names of holders) such as an overall contact for the registration, administrators such as webmaster and postmaster for any outward facing services, and data protection officer. For any personal registrant the information should only be revealed on production of a court warrant issued in the jurisdiction of the registrar.

    1. Strahd Ivarius Silver badge

      Is it nit already mandatory to provide this information on the web site?

      1. Doctor Syntax Silver badge

        It might be mandatory but if the domain owner chooses not to do so it's a bit difficult to work out who they are.

        If BigCo has their website flogging their rather dubious products they may well register some "review" site which habitually praises them and do so anonymously because they can.

        I vaguely remember receiving spam fa few times from somebody flogging print services. They put their limited co name on the email but not their registered number. I think there were also some errors on their website - possibly about address - so I grassed them up to Companies' House who didn't fine them but "helped them" to fix their errors. The spam stopped.

    2. Anonymous Coward
      Anonymous Coward

      It's not as simple as you seem to think.

      For one thing, some corporate registrants will have very powerful and justifiable reasons not to have their contact data published in whois - refuges for domestic abuse victims, people who might be targets for violence because they run a mosque or a lab that does animal testing, etc.

      Now consider sole traders like Bob the Builder. Would they be corporate registrants and in whois or personal registrants who wouldn't?

      If whois could be fixed simply, it would have happened a long time ago. The problem is too many fuckwits think it could be fixed and are happy to see others waste their time and money trying to find an solution that just isn't possible.

      1. katrinab Silver badge
        Coat

        A Sole Trader is a personal registrant.

        An English Partnership is a personal registrant, even in Scotland.

        A Scottish Partnership is a corporate registrant, even in England.

        Because a Scottish Partnership has a separate legal personality to the partners, and can own property and enter into contracts in its own name, whereas an English Partnership can't.

      2. DavCrav

        "For one thing, some corporate registrants will have very powerful and justifiable reasons not to have their contact data published in whois - refuges for domestic abuse victims, people who might be targets for violence because they run a mosque or a lab that does animal testing, etc."

        No.

        If you are running a refuge then you should probably not have your registered address, which is necessarily public so that people can contact the company, and the refuge address to be the same.

  8. Anonymous Coward
    Anonymous Coward

    Clarity

    The GDPR position has always been perfectly clear to the rest of the world except ICANN: sharing personal information without good cause or permission is illegal and large fines apply. Yes , you can keep a list of your customers' details (securely). No, you can't sell or share that list to all and sundry. Yes, that applies to you too.

    Do the EU really need to point out that this makes WHOIS fundamentally illegal within the EU?

    1. A.P. Veening Silver badge

      Re: Clarity

      Do the EU really need to point out that this makes WHOIS fundamentally illegal within the EU?

      Various parties including the EU and the German registrar have already repeatedly done so. The real problem is that ICANN still doesn't understand GDPR also applies to ICANN (and other American companies thinking they are excempt as they only follow American laws and that only as far as they can't bribe their way out).

    2. Doctor Syntax Silver badge

      Re: Clarity

      Actually, it's only illegal as regards actual people resident in the EU. It isn't as regards corporate registrants but nevertheless they're hidden because of it.

      1. A.P. Veening Silver badge

        Re: Clarity

        Not only EU, EEA (Norway, Iceland and Switzerland) as well.

  9. Anonymous Coward
    Anonymous Coward

    $9 mil?

    If, as they claim, it will cost them $9 million, then that means they expect to earn more than $9 million from it - otherwise they'd just shut it down.

    It's all about making money selling people data. Nothing more.

  10. Anonymous Coward
    Anonymous Coward

    My "GDPR compliant" whois records are not compliant

    I run my own nameservers. These are not "redacted for privacy" in either the ICANN or Nominet public whois databases. Whilst it's not my home address, it does uniquely identify me.

    (Of course, anyohe could get thst information simply doing a NS lookup on the domains, but is "it's available elsewhere" a valid defence?)

    1. katrinab Silver badge
      Meh

      Re: My "GDPR compliant" whois records are not compliant

      Publishing the authoritative name servers for a domain is kind-of essential if you want it to actually work as a domain.

      1. Anonymous Coward
        Anonymous Coward

        Re: My "GDPR compliant" whois records are not compliant

        Not in the "whois" db though!

  11. ortunk
    Devil

    I have a fake employee in my company with email and linked in profile twitter etc...

    he handles matters of privacy for me and my customers

    1. Nifty

      He will be on the payroll of course.

      Nigeria government's audit removes nearly 24,000 non-existent workers

      https://www.bbc.co.uk/news/world-africa-35683354

  12. Graham Cobb

    Time to get rid of ICANN?

    It is perfectly technically feasible to get rid of ICANN altogether. There is nothing stopping someone setting up an alternative name resolution service, with its own root servers - either using the DNS protocols and software, or something else. In fact, several already exist, although the public ones all incorporate and extend the existing root servers and use standard DNS protocols and software.

    In particular, as use of DoH and DoT increase, I expect to see many apps and services use their own naming infrastructure internally. I believe malware already does this, and things like filesharing are obvious potential users as well. It can't be long before one of the DoH or DoT operators (such as Mozilla, Google, etc) decides to do this and offers names under their own control, not ICANN's.

    1. Anonymous Coward
      Anonymous Coward

      Re: Time to get rid of ICANN?

      Go ahead - knock yourself out. Good luck.

      Come back once you've set it all up and got the infrastructure working. Who's paying for it BTW? That's the non-trivial but easy bit.

      You then need to come up with all the policy-making goop and a governance structure that world+dog will agree upon and is prepared to get involved in. Good luck with that too.

      And hey, after all that look what you'll have achieved - ICANN 2.0!

    2. Doctor Syntax Silver badge

      Re: Time to get rid of ICANN?

      There needs to be a definitive account of addresses as a source for secondary services. It's easy to see why malware might deviate from that.

      However the primary requirement of the ICANN root service is to point to the TLD servers so the TLDs could, if sufficient of them chose (and managed!) to agree amongst themselves to take one of the root server mirrors into the primary. The likely outcome would be a certain amount of conflicts due to holdouts but if those making the initial break were sufficiently dominant the rest would have to follow eventually. The difference between the heretic and the orthodox is who wins.

      1. Graham Cobb

        Re: Time to get rid of ICANN?

        The way I think it will happen is something like:

        Google announce they are introducing a new naming service that builds on top of ICANN-DNS and offers additional names, of any form, with no limitations on TLDs, to anyone willing to pay. It will work on all Android devices and Play store apps, all Chrome-based browsers, and anyone else can build it into their app/device/service if they want by just using Google's DoH service. Google will offer anonymity (for a price) - although it won't be anonymous to them, of course. Law enforcement and MPAA lawyers will be offered a chargeable service to provide details on who is paying for the name.

        The non-ICANN names will not use the DNS root server-based infrastructure, or even any of the DNS protocols except DoH - they will just use a database Google create.

        If you want to register "doctor-syntax.curmudgeon" :-) it can be yours, for a price.

      2. Anonymous Coward
        Anonymous Coward

        Re: Time to get rid of ICANN?

        What "ICANN root service"? There's no such thing.

        IANA (which is part of ICANN) maintains the root zone. Somebody else is in charge of distributing it to the 12 organisations that run the Internet's root servers, 1 of which is ICANN.

        The IP addresses of those root servers has to be embedded in the configuration of just about every resolving DNS server. Once you've convince the planet to use this new non-ICANN root, you have to change the configuation of every one of those resolving servers. Good luck. There have been many attempts to do this. They've generally ended in tears, derision, lawsuits and insolvency or some combination of these.

        The chances of all the TLDs agreeing amongst themselves about anything are far, far lower than Boris or Trump telling the truth.

        Now suppose we suspend reality and assume this was possible. Something - which presumably was impartial and neutral - would need to oversee the maintenance and co-ordination of your shiny new root. Congratulations! You've just created ICANNv2.

        1. Graham Cobb

          Re: Time to get rid of ICANN?

          You missed the point. The point is that commercial companies, who control (virtually) all the user access points to the internet (not yours, or mine, but phones, TVs, IoT devices, consumer PCs, etc) can (and will, one day) choose to walk away from the IANA root zone and ICANN, and make it just a small part of a much larger naming environment they control, and eventually pretty much irrelevant.

          1. R Soul Silver badge

            Re: Time to get rid of ICANN?

            no, it's you who is missing the point.

            companies like facebook, twitter, google, amazon, apple, etc already have total control of the user/victim experience. they make sure their sheeple are kept locked inside their platforms wihout needing their own noot. so there's no need for them to bother with the expense an hassle of arranging their own replacement root. it doesn't give them any more control than they've got today. once you step into their walled gardens, they've already got you by the balls.

            if they did use their own alternate roots, the authorities and ambulance-chasers in just about every country would have them in court faster than you can say class action anti-trust lawsuit.

  13. James Anderson Silver badge

    Why is this differnet from Companies House

    Or any SCC filling?

    The EU should require that the ownder of a domain name be identified and traceable and that this information should be in the public domain.

    All these "privacy" concerns just make life easier for scammers, malicious governments and other bad actors to operate with impunity.

    1. Doctor Syntax Silver badge

      Re: Why is this differnet from Companies House

      You're assuming that domain owners are corporate bodies that make such filings elsewhere. Many of us here have our own domains for our own purposes such as email addresses and are entitled to privacy in this as in any other respect. Individual privacy is regarded as a basic right in Europe. Your use of SCC suggests your expectations are US-centric where you're denied such rights.

    2. Ben Tasker

      Re: Why is this differnet from Companies House

      So, because I make information to others (for free, I might add), I should have my phone number and home address publicly available (and in a manner that's trivial to look up)?

      That's what pre-GDPR whois was, if you didn't use privacy services.

      In a world where SWATting is a thing, and people discharge firearms in pizza places because of conspiracies they've read online, the idea that we should all have our contact info easily discoverable is unbelievably naive.

    3. Graham Cobb

      Re: Why is this differnet from Companies House

      The EU don't require that the owner of a car be identified and traceable for the public. Nor even the owner of postal addresses (land may be registered, but it tells you nothing about which company is using a particular postal address).

      Why should domain names be any different?

    4. Anonymous Coward
      Anonymous Coward

      Re: Why is this differnet from Companies House

      Ths fact that "private registration companies" are allowed to exist is enough proof that this information doesn't need to be public, and therefore, "private registration companies" need not exist!

  14. Silas S. Brown

    Whois lookups used to be useful

    If I'm thinking of dealing with a company, charity or other organisation, I used to rely on WHOIS to let me check that the domain really does belong to them. Obviously I'm not after anybody's home address to snoop or whatever, I'm just after a bit of reassurance that a third party (the registrar) was convinced this website owner is the "real deal". Office address would be fine by me (if they have an office). And creation / transfer dates give you some idea how long they've been around (at least on the 'net): "a few years" is better than "since last week". Not infallible I know, but every clue helps when you're trying to figure out how much risk to take.

    Nowadays, even the genuine domains of some large organisations will WHOIS-lookup to a "privacy service", which was probably a mistake (did somebody forget to tick the "no we don't want this" box?) - they could easily have put their headquarters address in there, to help establish the domain as genuine, without disclosing anything they weren't already making public on their About Us page. What a missed opportunity.

    1. Doctor Syntax Silver badge

      Re: Whois lookups used to be useful

      This is exactly why I suggested above that corporate registrants should be disclosed in whois. The baby has been thrown out with the bathwater.

    2. doublelayer Silver badge

      Re: Whois lookups used to be useful

      Depending on your country, most likely all large-enough companies and all charities are already registered somewhere. That somewhere is usually the bureaucratic entity responsible for verifying filings, meaning you know that what is there is at least a little verified. It often includes a web address if the company concerned has chosen to provide one.

      Using whois as a proxy for this has two primary problems. You're trying to verify details about the company or to verify that the domain belongs to them. Here's how that breaks:

      Verify that the domain is theres: If I'm setting up a fake domain, I can easily put in the information for the place I'm impersonating. It's not independently verified and has never been, so nothing prevents me using that mechanism. I can include a phone number that's intentionally mistyped or, if I think my victims are likely to actually test it, I can set up a phone number for the purpose. Or I find a number for the actual organization which nobody answers and include that. But let's be honest, if I'm a scammer I'm probably planning that my victims aren't going to put that much effort in anyway so I could probably ignore those few who are suspicious enough to call a phone number in a whois record.

      Find details about the owner: You're not going to find anything of use. If the company wants you to contact them, and they probably do, you'll find addresses, phone numbers, and email addresses or contact forms on their website. If they don't, you can probably find those details on a map or phone book. Meanwhile, lots of places that aren't companies may wish you not to have those details to avoid spam, disruption, or harassment.

  15. Anonymous Coward
    Anonymous Coward

    ICANN once again tries to flim-flam the EU ...... and once again will fail !!!

    ICANN does not want to comply with GDPR and has spent 2 years trying to find a way round it.

    Now they are trying to seek 'clarification' to complete a minimal system by asking the EU to spec out the bits they have missed.

    The idea is to then appeal for more time to implement what the EU defines.

    Reality states that they should just pay someone to implement what is needed and if that means they have to spend 'real money' so be it.

    At some point, real soon, the EU will stop being polite and will start issuing fines ..... BIG fines !!!

  16. Lorribot

    ICANN is a US company that thought it sat outside of laws and teh like and could grow old and fat of teh sweat of the real doers in teh world. they have had a wake up call that teh US does not own everything and they really need to get out more.

    I am surprised the CEO of ICANN actually managed to find Brussels in Belgium and didn't end up in Wisconsin.

  17. hayzoos

    ICANN should provide them the answer

    It does deserve a kindly worded and sympathetic response. Such as: We have reviewed your message and after much re-reading and head scratching have concluded that you seem to be requesting our answer to your apparent quandary. As you seem to be stating that there is no easy or cost effective solution to maintain whois in compliance with GDPR, we have come to the conclusion that you must shut down whois. You have 30 days to shut it down. After 30 days we will verify shutdown and if we find it has not been shutdown, we will begin disciplinary actions as enumerated in the GDPR which includes fines.

    Careful what you ask for.

    I would find a non-anonymized whois record for a particular website to be useful at the moment. I am finding myself blocked from the website thanks to Cloudflare's firewall flagging my VPN as a risky access. I am told that the website owner has locked down a little too much and I should contact them. Whois would be a good way for me to find contact info for the company. I wish to opt-out of their publishing of my information under the guise of genealogy. I don't have the GDPR to help me either as I am in the US and so are they. Which probably also explains why their contact info is hard to find.

    1. Anonymous Coward
      Anonymous Coward

      Re: ICANN should provide them the answer

      Arrrgh, those cloudflare blocks are a pain in the ass.

      Anyway, can't you email said genealogy company?

      1. hayzoos

        Re: ICANN should provide them the answer

        I tried emailing the common aliases such as admin@ webmaster@ abuse@ only to receive non-deliverable bounce messages for each I tried.

    2. Alan Brown Silver badge

      Re: ICANN should provide them the answer

      " I don't have the GDPR to help me either as I am in the US "

      Check _your_ state's privacy laws. Many of them provide the protection you need

      Then Joe Doe the website owners in local court for privacy violation (assuming you can)

      1. hayzoos

        Re: ICANN should provide them the answer

        I'll have to check into that. It may prove useful beyond this one example. If not I may have to start a letter writing campaign to representatives to request a privacy law.

  18. David Woodhead
    WTF?

    This is not useful

    And just how are the rest of us out here supposed to a) understand, b) monitor and c) enforce all of this crap? It has no connection with the real world, except via the medium of lawyers. Good luck with that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like