How GDPR Could Complicate a Key Online Service

The General Data Protection Regulation, designed to increase privacy of users online, could have a painful side effect for ICANN, which manages the internet’s domain names. The reason? A database it manages—WHOIS, one fundamental to the way the internet works—does not comply with GDPR.

The European Union’s General Data Protection Regulation (GDPR), taking effect in a little more than a month, could permanently change the way some of the internet’s basic plumbing works.

For two decades, the Internet Corporation for Assigned Names and Numbers (ICANN)—the nonprofit that effectively maintains the internet—has kept up the basic structure of the Domain Name Service, including the query system WHOIS, which is designed to let people know who owns a domain name. This function, reports The Register, falls under the purview of GDPR, and as a result, will be considered illegal once the regulation takes effect May 25.

ICANN, which learned of the European Union’s decision [PDF] on WHOIS last week, has announced that it will be unable to make necessary changes to the service before May 25 and that its ability to comply with GDPR would not be possible until a year after the regulation takes effect.

A lot of people who are using this data won’t be able to get access to it, and it’s not going to be pretty.

“Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue,” ICANN President and CEO Göran Marby wrote in a news release. “As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.”

The result of the rule change would lead to WHOIS working inconsistently in different parts of the world. Already, registrars in the United Kingdom and other countries don’t provide the level of information that’s made available elsewhere in a search for a domain name. In comments to The Register, Akram Atallah, the president of ICANN’s Global Domains Division, said he hoped that the result would not mean that WHOIS is shut down entirely while a replacement is built.

Others are less optimistic.

If the service does shut down, it could create some significant problems. Security researcher Brian Krebs wrote last month that moves to limit the level of information on the public WHOIS system could lead to a variety of issues with the way the internet works, including a potential increase in online scams.

Speaking to Krebs, ICANN Security and Stability Advisory Committee Chair Rod Rasmussen warned that GDPR’s new requirements could prevent key anti-spam technologies from working correctly.

“A lot of people who are using this data won’t be able to get access to it, and it’s not going to be pretty,” Rasmussen said. “Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in people’s inboxes will be climbing rapidly because a lot of anti-spam technologies rely on WHOIS for their algorithms.”

The situation with WHOIS highlights the unexpected ripple effects that GDPR can have for organizations that are not just limited to their email lists or their messaging. ICANN represents basic plumbing, and regulatory changes can limit that organization’s ability to fundamentally do its job.

(Bet_Noire/iStock/Getty Images Plus)

Ernie Smith

By Ernie Smith

Ernie Smith is a former senior editor for Associations Now. MORE

Got an article tip for us? Contact us and let us know!