The Quiet Death of WHOIS

The WHOIS system is a technology that, more or less, is as old as the internet.

But despite being around since the early 1980s, on May 25, 2018, WHOIS will likely either stop functioning or become significantly limited.

The system, which allows users to look up who the registered owner is of any given domain, has been mired in controversy for some time. To many, it’s long been a haven for spammers and scammers to get in touch with domain owners. To others, it’s been an invaluable security tool.

But, thanks to the General Data Protection Regulation (GDPR), a new European regulation that restricts how companies and organizations can collect and share personal data, the WHOIS system faces an uncertain future.

What this means for the internet is unclear, but it will definitely have an impact on how individuals track and find the internet’s villains, including spammers, hackers, pirates and other infringers.

The Basics of WHOIS

WHOIS (pronounced who is) is simply a system by which anyone can look up who owns a particular domain name. Simply search for the domain and you discover the registration information for the name itself.

Though the system is heavily decentralized it is Internet Corporation for Assigned Names and Numbers (ICANN) that currently oversees it. ICANN is also responsible for the Domain Name System (DNS), which is the process that converts human-readable domains into IP addresses and allows the internet to function.

ICANN both maintains the standard for what must be in a domain name registration and the technical process for performing the lookup. As a result, no matter where the domain was registered, you can easily lookup who owns it through a centralized search tool such as the one ICANN itself provides.

The current requirements for a WHOIS registration include the mailing address, phone number and email address of the domain owner or administrator. Many domain purchasers, especially private citizens, were uncomfortable with having that much information in a public database. This gave rise to domain privacy services, which mask that information.

Those services work by acting as proxies, by keeping the “real” information behind lock and key while making their proxy information available in the WHOIS results. Since ICANN’s requirements made it necessary that the owner/administrator be reachable via the WHOIS information, this proxy system is within the rules.

Though ICANN has been working on a standard for such proxy services, it has not come to fruition yet.

That’s been a big part of the story when it comes to WHOIS privacy. Though ICANN has long acknowledged that there are privacy issues with the WHOIS system, none of the proposals ever came to fruition and, to the end user, the system works much the same in 2018 as it did in 1988.

However, now those privacy concerns are crashing down on the WHOIS system, possibly taking it down for good.

Enter the GDPR

The General Data Protection Regulation (GDPR) is an EU regulation that was adopted on April 14, 2016 and, after a two-year transition period, will take effect on May 25, 2016.

The regulation is large and complicated but basically places strict rules on how private data is collected, stored and shared online. In general, the rules require consent for processing personal data, places limits on how its stored, where it’s exported and how long it can be held onto.

It also requires that organizations make it possible for users to have their records purged, a right to erasure, and requires those storing personal data to notify those involved in any breaches within 72 hours (or as soon as practical).

Though the regulation is an EU one, it also applies to any organization that stores data of EU citizens. Needless to say, that applies to nearly every company or website online.

ICANN is no different though, as it’s come to realize, the rules of the GDPR are incompatible with the WHOIS system. After all, the WHOIS system is a giant tool for collecting private information and publishing it publicly.

This is why ICANN has been working since the GDPR was passed. ICANN has had regular meetings with the Data Protection Working Party (WP29), the group that is tasked with enforcing the GDPR. However, those meetings have born little fruit. In March, ICANN presented an “Interim model for compliance” that would have given tiered access to the WHOIS information but, in April, those guidelines were rejected by the WP29 saying it was non-compliant with the law.

In the cross fire is registrars, such as Godaddy, who could face significant fines if they violate the GDPR, including by passing along personal data as part of the WHOIS system.

Some registrars aren’t waiting for the 25th. In January, GoDaddy announced that it was redacting personal information through its automated system, though still making it available on its own site. This move upset a lot of users of the WHOIS system. The U.S. government began to pressure ICANN to investigate GoDaddy’s policies and ICANN confirmed that it is looking into it.

However, sometime in April, Google began to do the same, showing truncated records on third party sites. As of this writing, Google appears to also be truncating records in its local WHOIS search as well.

GoDaddy and Google likely won’t be alone. We’re heading toward a WHOIS showdown and one thing is for sure, if the WHOIS system exists on the 26th, it won’t be the same…

The Benefits of Privacy

If you’re a domain owner, you probably aren’t too upset about this.

Though the WHOIS database is immensely useful, it’s also been ripe for abuse. Spammers and scammers alike have made aggressive use of the tool to get email, postal and even phone numbers of domain owners.

If you’ve gotten mail from fake domain registrars warning you your name is about to expire, seen an uptick in spam after registering your site or even been cold called about your domain, they likely got that information from the WHOIS database.

However, for many spammers and scammers are the least of the privacy concerns. Many have been doxxed, threatened and harassed using info in the WHOIS database, making WHOIS privacy a requirement for anyone running a controversial website.

Because of this, groups like the Electronic Frontier Foundation are fully in support of limiting the WHOIS service. The EFF even went as far as to say the restrictive access model proposed by ICANN was putting the users of the WHOIS service ahead of the privacy of those in it.

In short, there are many people with very legitimate reasons to be happy that the WHOIS system is going to change drastically. But, that doesn’t necessarily make it a net positive for the internet.

The Other Side of WHOIS

For all of the nefarious uses of the WHOIS system, it’s also relied upon by a variety of security professionals of all stripes to protect everything from intellectual property to the core internet infrastructure.

IBM, for example, recently wrote in an article how it uses WHOIS to track down spammers and block more than 1.3 million malicious domains per month. Furthermore, it says that it might take up to 30 days to track down and stop malicious domains using other techniques, giving malicious users ample time to commit whatever crimes they want to commit.

This view is backed up by security researcher Brian Krebs as well as other cybersecurity experts who say that, despite widespread use of domain privacy and false WHOIS data, the tool is still useful for mapping out and taking action against malicious sites.

This view is echoed by those who work in trademark and brand enforcement, saying that restrictions on the WHOIS system will make it more difficult to shutter counterfeit sites.

In addition to helping detect malicious actors, the system is also used to notify individuals that their site has been compromised. This is one of the few uses I’ve had for the WHOIS system, where I was able to notify a site owner that they had been compromised and needed to clean up and secure their server.

The general fear is that, while truncating to ceasing the WHOIS system will make things more secure and private for domain owners, it may make the internet less safe in general. To many security experts, a public and open WHOIS database was a worthwhile tradeoff.

Whether that’s true or not, we’ll likely find out shortly after the 26th.

My Personal Take on WHOIS

At CopyByte, I do a lot of work with clients to track and remove copyright infringing material. Everything from marketing content to ebooks, software, movies, music and more.

Despite the wide variety of cases, I don’t use the domain WHOIS a great deal. While I could blame that on the private registrations (email forwards rarely work) and outright false information in the database, the real reason is that it’s not necessary.

Simply put, when filing a notice of copyright infringement, you’re usually trying to reach the host of a site, not the site owner directly. As such, contact information for a domain registrant isn’t very helpful most of the time.

What I do use is a tool called IP WHOIS. This tool contacts Regional Internet Registries to find who owns or controls a specific IP address. It works much the same as the domain WHOIS system, but for IP addresses.

Under the GDPR, the IP WHOIS tool should not need to be truncated because it contains no personal information. Instead, it contains contact information for corporations, which is not covered under the GDPR. Since, generally, no “natural persons” are identified in the IP Whois database, they should not be impacted.

However, that doesn’t mean they won’t be. If the IP WHOIS database is truncated, either out of an abundance of caution or due to personal information I have not identified, it could pose a problem. Some hosts only make their abuse and other contact info available in such a query, making the difficult to get in touch with.

While those cases are very rare, I do use the IP WHOIS database regularly to notify hosts of copyright infringement and other abuses. If taken away or limited, it would be a useful tool that is taken away.

While that seems unlikely at this time, obviously, this is something I will be watching closely.

Bottom Line

In the end, the fault for this can only be placed on one organization: ICANN.

ICANN has been well aware of the privacy issues with the WHOIS system for decades and, despite several false starts, has failed to do anything about it. Now we are just over a week away from the implementation of the GDPR and its privacy house of cards may come crumbling down.

ICANN had every opportunity to resolve these problems on their terms but now have to deal with the on the EU’s. Because of that, the internet may be a less safe place though the real impact won’t be known for some time.

If anything, this story is a lesson about what happens when you put off a problem infinitely and then are forced into dealing with it. It creates uncertainty and, unfortunately, it’s uncertainty that the whole of the web must deal with.

ICANN’s failure punishes us all…