What’s in a Name? Domain Registration Changes in the Wake of the GDPR

February 1, 2019 

The European Union passing the General Data Protection Regulation (GDPR) in early 2016 was a paradigm shift in data protection and privacy. The GDPR granted basic data privacy rights to all EU citizens, regardless of where that data was stored. It also assigned the burden of protecting the private details of citizens on any company collecting that type of data.

Organizations around the world had until May 25, 2018, to comply. One of the more consequential organizations that was late in preparing was the International Corporation for Assigned Names and Numbers (ICANN).

ICANN’s role is unique compared with most companies on the internet. It maintains a critical tool in the organization of domains: the WHOIS directory, which enables users to identify domain name registrants. And in the months leading up to the implementation of the GDPR, that directory was not private and not in compliance.

“We’ve been on ICANN’s back for the last two years,” said Tom Keller, head of domain services at the web hosting company 1&1 IONOS. “There has been a discussion with the community and ICANN, and they can be slow moving.”

Registering a domain on the internet has historically been a public transaction and has evolved significantly. The architects of the internet did not have privacy in mind, but public concern is now making privacy a priority. New legislation like the GDPR is forcing internet foundations to adjust, which has had a ripple effect on industries and businesses built on the internet’s public nature.

History of the Domain Name System

In the early 1980s the development of the internet was at a crossroads. Developers of what was then called ARPANET learned that finding another computer on the network using machine-readable 1s and 0s was difficult, so a file called “HOSTS.TXT” was created. The internet was small enough that a computer that wanted to join the network would log a name into the document along with its machine-readable IP address. This allowed the computer to look up any other computer on the internet by referencing this file, which was copied and stored on every computer on the internet.

This wasn’t sustainable. The need for a distributed naming system that could keep up with the expanding internet became a priority. In 1983, software engineer Paul Mockapetris proposed the Domain Naming System (DNS) to address this issue. Much like its predecessor, the DNS assigned names people could remember to IP addresses. Unlike the previous process, however, domains and their corresponding IP addresses would be stored in servers versus on every computer on the internet. A person looking for a specific place on the internet (e.g., www.google.com) could send the domain request to the server to lookup the IP address and connect.

How the Domain Name System Works

Domain Registration Terms to Know

The following terms are commonly used when discussing domain registration on the internet.

DNS: the Domain Name System. It translates domain names to a machine-readable IP address, which is uniquely mapped to every device on the internet.

Domain: a user-friendly string of characters that can be used to access a site on the internet. A domain comprises two parts. The highest level of the domain, appearing at the end of a website name, is called a top-level domain. This can be a .com or a .edu, and the list of valid top-level domains is maintained by ICANN. The portion of a domain before the dot is called a second-level domain, which is usually the name of the site. The unique combination of a top-level domain and a second-level domain forms the domain mapped to an IP address on the internet.

ICANN: the Internet Corporation for Assigned Names and Numbers. ICANN is a Los Angeles-based nonprofit that describes its mission as ensuring “the stable and secure operation of the internet’s unique identifier system.” This includes making sure that each domain name is unique and maps to the correct IP address. ICANN accomplishes this by working with accredited registrars so that domains are unique and accounted for.

IP Address: a series of numbers that serves as a machine-readable unique identifier for every computer and device on the internet.

Registrar: a party recognized by ICANN that can register a domain on behalf of a customer. Registrars coordinate with ICANN to ensure there are no duplicate domains.

WHOIS Directory: the free directory containing the contact and technical information of registered domain name registrants. WHOIS is a searchable directory maintained by ICANN and contains information such as a domain’s creation and expiration date, the registrar’s name, and how someone can contact the registrant. This directory has been heavily affected by the GDPR, which was implemented in May 2018.

How to Register a Domain

How to Register a Domain

ICANN supervises the assignment of IP addresses and domain names. Registering a domain is a three-step process:

  1. An interested party, known as the registrant, contacts a registrar to notify them that they would like to purchase a domain.
  2. A registrar takes the registrant’s desired domain name to a registry to verify it is available. A registry maintains the list of second-level domains registered to any one top-level domain. For example, the registry for any website ending in .com is maintained by Verisign Inc. in Virginia. A list of registries for every top-level domain can be found here.
  3. If available, a registrar submits the registrant’s information to the registry to show that the domain belongs to that individual. 

Why Are GDPR and ICANN in Conflict? 

When the European Union rolled out the GDPR in May 2018, it granted a series of rights to residents of the EU, including the following:

  • Notification of a data breach
  • Right to access data
  • Right to be forgotten
  • Data portability, or taking data from one place to another

It also required interested parties and companies to create privacy by design. Generally, this means that interested parties only ask for data that is reasonable or necessary. Under the GDPR, the WHOIS Directory maintained by ICANN was not in compliance for EU residents.

“WHOIS is an open database where you can search who owns a domain name. You can see the owner, the administrator, full address, email, et cetera,” said Keller of the German-based 1&1 IONOS, which is the second-largest web hosting company behind GoDaddy.  

As a registrar, 1&1 IONOS has to ask for certain data from individuals. The GDPR mandates that they should only ask what is needed to register the domain, and Keller says that 1&1 IONOS “determined that it wasn’t necessary” to ask for personal information.

ICANN responded to the GDPR late in the process. They issued a temporary specification a week before GDPR was going into effect, which resulted in redaction of most of the information in the WHOIS directory. 

While this didn’t substantially affect the work done by registrars, as they were still able to collect the necessary information to register domains, there were concerns outside of ICANN that limited data collection would make the domain registration process more difficult. Keller said there’s no substantial difference.

It did, however, affect groups and individuals that relied on the public nature of WHOIS to conduct business. 

Zak Muscovitch, an intellectual property lawyer working out of Toronto, is one of those individuals. He would use the WHOIS directory as a way to gather contact information on domains that a client might have interest in.

“It used to be I would get a call up from a potential client wanting to buy a domain. I could look up the chain of title and give them some confidence in the purchase,” Muscovitch said. In other cases, a client may have had a problem with a specific website, and he could look up the registration details and get contact information.

A pre-GDPR query with the WHOIS directory yielded three sets of contact information: the registrar, the administrator, and the technical contacts. In most cases, the admin and tech contacts would be the registrants. Parties like Muscovitch could use that information to reach out to the domain registrant directly on business. Parties could also abuse the information, using it to spam domain holders.

After implementation of the GDPR and ICANN’s temporary specification, that information is either now redacted or goes through the registrar. The process requires parties to file requests through the registrar for any kind of information on a domain holder — requests that can be denied if the party is not considered legitimate.

Muscovitch also pointed to another major party affected by the redacted information in the WHOIS directory: law enforcement. He said that they would use the WHOIS database without getting a subpoena for cases that involved looking up domain information.

The GDPR currently allows legitimate parties like law enforcement to access the data collected by registrants, pending a formal request. There were concerns that, with the information in the WHOIS directory having been redacted, requests from these parties to registrants would spike. But according to Keller, registrants aren’t seeing that yet.

“The amount of requests we get are very limited … a few a week,” Keller said. “Our belief is that WHOIS data has been abused a lot. We really don’t see a lot of urgent requests of legitimate parties.” 

The temporary specification from ICANN is set to expire in May 2019. ICANN will then need to establish permanent recommendations on how to manage the WHOIS directory in a way that is compliant with the GDPR.

Citation for this content: University of Dayton’s online J.D. degree.