EU GDPR and the WHOIS, Radiation Fallout

So during ICANN 58 in Copenhagen, it became crystal clear, the WHOIS is a “nice to have” but not a “must have” for sure.

Sure there are folks that did not see the mushroom cloud, nor did they hear the thunder of the nuclear explosion, and being in denial is an option, but if you are hit with the radiation and fallout, denial is not a good option.


What is the WHOIS and what are Registrars doing? If you register a domain name say:, then Registrars register the domain name for you and the Registry for .biz publishes your personal information in a public directory/database; we call the WHOIS.

This was handy back in 1990 or so. Now the EU GDPR is coming in May 2018 and enforcement is most likely to happen (read huge fines). ICANN managed to ignore the problem and wanted to ignore the privacy problems even longer, but after ICANN 58 this is no longer an option.

The EU GDPR is global, every Registrar and Registry on this world who deals with European citizens have to comply with the EU GDPR. This makes the solution problematic.

In my opinion, there is only one solution. Shutdown all WHOIS servers and replace it with RDAP. In addition to this, storing personal info at the Registry to register a domain name should be not required, it serves no purpose.

RDAP will have two functions. It will serve as an internal network to make sure existing ICANN policies will remain to function, though policies like IRTP A-D and much more will need to re-written or scrapped.

The public output for RDAP should be very minimal; this is function two. The output will contain the Registry, Registrar, Reseller (if applicable), email alias of the Registrant and the name servers. The rest should be removed as there is no purpose.

As simple as this sounds, it requires a lot of work and there will be moments when things will be in freefall, and we need to adjust procedures on the fly.

Registrars if applicable by law should display the Registrant in full when it is a company. The EU privacy is pretty clear about that.

All in all, this requires some out of the box thinking, but we should stop thinking regarding thin or thick, we must be aware on what we collect data wise and careful what we publish publicly and keep asking what the purpose is.

The current setup will create a huge problem when it comes to abuse. Not only will LEA’s be frustrated, but it will also create tons of overhead on the Registrar side and as such cost money and worse, abuse levels might even skyrocket.

RDAP allows for gated access. LEA’s must get access through a global framework to combat abuse. This also extends to these companies who are not LEA’s but fight spam and other nasty things that happen on the internet. This will require some heavy consulting with the EU Data Commissioners to set up a framework that has a purpose. I think this is doable, though it will require heavy monitoring when it comes to access to justify such access. Given the current levels of abuse, again I think it is warranted, not to mention the extremely short timeframe we have to get EU GDPR compliant.

Will this work? Most likely not. ICANN is a bottom-up driven community and not top down organized. Before we have everyone on board, we are most likely two years further in the process.

The alternative and there is no alternative, privacy is a right, it cannot cost money, it is not a service, as such I expect most Registrars will start offering privacy protect for free, send out a mailing informing everyone, they have done their duty. This will be a colossal mess and I am not sure how we should deal with domain transfers, this issue does not exist with most ccTLD’s as they have a more clean transfer process that does not rely on a system created by ancient Egyptians.

This article is work in progress. Updated version at

Theo Geurts

ASOP Global Internet Pharmacy Safety E-Commerce Leadership Award.

And I won it, at ICANN 58 in Copenhagen.

And it did not cost me a much energy at all. That is the deciding factor how I won the award. Connecting key players (LEA’s), connecting key actors (Registries & Registrars) and as such the internet became safer, consulting, advising, participation, things, that give me energy. And if it gives one energy, it all becomes easy.

The award was handed to me by ASOP.EU. Their goal:

An early objective for the coalition will be to develop and issue a ‘call for action’ inviting the European authorities to evaluate policies and legal measures to tackle illegal online sales and launch a dialogue with key stakeholders including internet intermediaries to take action against illegal online pharmacies.  The coalition will play a valuable role in demonstrating broad-based support for urgent action to tackle this patient safety threat. It should rapidly become a trusted partner of the authorities as measures are developed to deal with illegal online pharmacies.

The award looks like this:

I guess the photo does not do complete justice to the award. It was however so large (and heavy) that I asked the hotel staff to have UPS ship it back to me, as there was no way it would fit in my carry-on luggage.

ICANN 58 took place in this great convention center, Bella Sky in Copenhagen. Expect more updates soon.

ASOP press release can be read here.



Dissecting the Registrar Accreditation Agreement 2013 part 1

Now that the RAA 2013 is up for public comments on ICANN’s website I decided to zoom in on some parts of this new agreement.

It’s a been long road, 18 months of negotiations between the domain name Registrars and ICANN is now over. As written many times before on this site, one of the most controversial and debated part of the entire RAA.

What the FBI and other law enforcement agencies wanted

Under ideal circumstances the law enforcement agencies would have loved a domain name registration system, where you as the domain name registrant would have to visit the domain name Registrars office, and after handing over a boatload of documentation you wouldbe on your way home while your domain name Registrar would run several background checks, and perhaps in a month or two your domain name would be registered or perhaps if the background check did not produce enough information. you would have to visit the Registrar again so the Registrar could take some DNA samples CSI style.

What the rest of world wanted

The Registrars and other stake holders didn’t embrace the above vision and wanted less intrusive methods of registrant verification. So after 18 months we have something called :”WHOIS ACCURACY PROGRAM SPECIFICATION”. An end result that did not make the LEA‘s jump for joy.

Let’s zoom in on this verification system and theorise about the implementation and the implications for you as a registrant.

Registrar shall validate:

  • Validate the presence of data for all fields required under Subsection 3.3.1 of the Agreement in a proper format for the applicable country or territory.
  • Validate that all email addresses are in the proper format according to RFC 5322 (or its successors).
  • Validate that telephone numbers are in the proper format according to the ITU-T E.164 notation for international telephone numbers (or its equivalents or successors).
  • Validate that postal addresses are in a proper format for the applicable country or territory as defined in UPU Postal addressing format templates, the S42 address templates (as they may be updated) or other standard formats.
  • Validate that all postal address fields are consistent across fields (for example: street exists in city, city exists in state/province, city matches postal code) where such information is made available to Registrars.
  • With the above in mind we can conclude that the WHOIS will have less odd elements as we know it today. Telephone numbers will have one and the same format. The last validation bullet (matching data) is one that is very intresting Not all countries use postal codes and that is just for starters.

Registrar shall verify :

  • The email address of the Registered Name Holder (and, if different, the account holder paying for the Registered Name) by sending an email requiring an affirmative response through a tool-based authentication method such as providing a unique code that must be returned in a manner designated by the Registrar, or
  • The telephone number of the Registered Name Holder (and, if different, the account holder paying for the Registered Name) by either (A) calling or sending an SMS to the Registered Name Holder’s telephone number providing a unique code that must be returned in a manner designated by the Registrar, or (B) calling the Registered Name Holder’s telephone number and requiring the Registered Name Holder to provide a unique code that was sent to the Registered Name Holder via web, email or postal mail.

What the Registrar has to verify is pretty straight forward, and as you can read no DNA samples require verification to have your domain name registered, just your email address.

Return to sender.

What if the verification does not happen ? A registry like DK Hostmaster has an email verification system in place for many years now. One is an email that contains your login to activate the domain name and if your email is down for some reason you will receive a letter from the registry that also contains your login details. If you do not activate your domain name the domain name will simply not resolve and stays reserved for 30 days and then the registration will be undone.
A simple system, yet 10% of all the registrations fail when it comes to the ccTLD .DK. That is a massive amount of domain names when you would apply such a system for .com or .net. However ICANN has come up with a different solution.

In either case, if Registrar does not receive an affirmative response from the Registered Name Holder, Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information. If Registrar does not receive an affirmative response from the account holder paying for the Registered Name (when that information is different from the Registered Name Holder), Registrar shall verify the applicable contact information manually, but is not required to suspend any registration.

So here we have it and let’s see how that one works in the real world.
Lets assume the Registrar works with a reseller model, the flow would go like this:

Domain name gets registered and an email is send to the registrant and the reseller.
Registrant does the verification and also the Reseller and both have been verified.
Much rejoicement and happy people everywhere.

In the scenario where the registered domain name holder/registrant does not go through the verification process the domain name gets suspended after 15 days. If the reseller does not respond the Registrar will verify the data manually, but the domain names does not get suspended.

More fun.

If the Registrar discovers that the information is incorrect then the Registrar is required to re-verify the data.
Sounds simple, in reallity however this is going to be alot of fun. Registrars currently need to send a so called WDRP email to either the registrant or the admin contact. Currently it is only required to send the email regardless if the email bounces back or not. With this provision if it bounces back or the email does not get delivered the re-verification process kicks in. The ICANN text is as follows :

Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information. If, within fifteen (15) calendar days after receiving any such information, Registrar does not receive an affirmative response from the customer paying for the Registered Name, if applicable, providing the required verification, Registrar shall verify the applicable contact information manually, but is not required to suspend any registration.

Here it says the Registrar does not have to suspend the domain name. However the next section says :

Upon the occurrence of a Registered Name Holder’s willful provision of inaccurate or unreliable WHOIS information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen (15) calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder’s registration, Registrar shall either terminate or suspend the Registered Name Holder’s Registered Name or place such registration on clientHold and clientTransferProhibited, until such time as Registrar has validated the information provided by the Registered Name Holder.

Willful, what can be considered willful and not willful ? There is the obvious part where a registrant tells the Registrar to take a hike, and then there is the not so obvious part when you have to deal with a company with multiple departments and decision makers. Needless to say this could use some clarification.

So it is time to get your email addresses up to date, together with your other information and check for yourself if you would pass the verification. Afterall it would be a shame if one or perhaps all of your domain names will get suspended due to a bounced email.

All Registrars who wish to sell all the new gTLD domain names are required to sign the RAA 2013 and i expect the new RAA 2013 to go live within a few months from now if not earlier.