US Government in Whois GDPR Warning

The head of a US government agency has warned against over-zealous changes to the Whois internet lookup service in order to comply with the forthcoming EU General Data Protection Regulation (GDPR).

The decades-old system publishes the personal details including name, address, email and telephone number of every domain name registrant. However, this flies in the face of Europe’s new privacy laws, which state that businesses must obtain clear consent from individuals to store and publish their personally identifiable information (PII).

One of the key issues is that Whois is also a valuable tool for cybersecurity researchers and law enforcers who use it to try and attribute attack campaigns.

That’s a point alluded to by David Redl, the new head of the US National Telecommunications and Information Administration, who talked tough at a State of the Net 2018 presentation this week.

“Here are the facts: the text of the GDPR balances the interests of cybersecurity, law enforcement, and consumer protection, and many European officials have noted that limited changes to the Whois would be necessary to achieve GDPR compliance. Still, there are some who are trying to take advantage of the situation by arguing that we should erect barriers to the quickly and easily accessible Whois information. Some have even argued that the service must go dark, and become a relic of the internet’s history,” he reportedly argued.

“Today, I would like to be clear — the Whois service can, and should, retain its essential character while complying with national privacy laws, including the GDPR. It is in the interests of all internet stakeholders that it does.”

This could set the US government on collision course with ICANN, which has offered three options to protect registries and registrars from GDPR liability until its new — and long-awaited —  Next-Generation gTLD Registration Directory Services (RDS) is ready.

These proposals include one in which only “a defined set of third-party requesters would be authorized to gain access to individual registrants' personal data,” according to the EFF. In a more extreme option still, access to personal data would only be given under subpoena or court order.

That would seem to fly in the face of Redl’s comments when he argued: “the US government expects this information to continue to be made easily available through the WHOIS service.”

DomainTools CEO, Tim Chen, welcomed the remarks.

“Whois data has been a critical resource in defending the openness, transparency and security of the internet,” he argued. “The security and protection of individuals, employees, customers, brands, IP and a host of other important assets and constituencies will continue to depend on understanding who owns and controls resources on the internet.”

What’s Hot on Infosecurity Magazine?