If you have ever registered a domain name, you’ll know that your name, contact address and phone number are displayed on a public register known as WHOIS , unless you pay for a proxy service to hide that information.
That practice is about to change courtesy of the new EU privacy rules (GDPR) as the organisation in charge of managing the internet’s domain name system, the Internet Corporation for Assigned Names and Numbers (ICANN), scrambles to comply with the upcoming EU privacy regulation. The regulation prohibits companies from sharing their European customers’ personal data without explicit permission, and gives customers the right to delete their data at any time.
ICANN’s proposed plan to comply with the rules suggests that WHOIS entries may soon contain a lot less information. The proposal requires companies that sell domain names to hide customer information (name, contact address, phone number, etc) from public display and that an “accreditation program” would be setup to allow third parties who have legitimate need for that information to access it. To gain accreditation, third parties would have to follow a certain code of conduct, but it appears the code of conduct have not been fully figured out yet and may not be ready until December 2018.
Limiting access to WHOIS information has raised concerns from stakeholders. Denial of appropriate WHOIS access will force law enforcement, cybersecurity researchers to defer to the use of court orders which according to stakeholders will greatly increase the overall cost of fighting cybercrime. The question is whether the benefits of having domain name customer data in the public space outweighs the privacy benefits of making it harder to access. The challenge before ICANN is striking the right balance between privacy and security as it scrambles to meet the May 25 GDPR compliance deadline.
