Article topics

What GDPR means for your domain registration

Mark Tomkins

How the new GDPR rules have just made it a whole lot more difficult to manage your website.

We think it was one of those ‘uh-oh’ moments. The point on the 26th May 2018 when the ISPs, registries and everyone who works within the internet space needed to look up some WHOIS information about a domain name… and could only find details of the registrar.

That was the moment GDPR blindsided a lot of internet professionals.

Even registrars, ISPs and law enforcement agencies hadn’t realised the impact of the introduction of GDPR on their role providing internet services, fighting internet crime and just performing the normal day-to-day duties of moving domains from one place to another.

The problem is that GDPR had imposed the requirement on all EU-located domains to have their registrant details redacted to conform with new privacy law.

Before 25th May, you could look up the owner, company, address of the registrant and where the host was (along with other useful DNS settings) by running a WHOIS search. Some TLDs (top level domain) authorities allowed you to pay a small fee on top of the registration to mark the details as private for individuals, but as a rule, you could look up who owned and managed a domain name.

This was sensible for lots of reasons:

  • Validating authenticity of a website, it’s ownership, who to contact in the event of a security problem or when close to expiry.
  • Verification for the installation of SSLs.
  • Performing domain transfers from one registrar or host to another.
  • Helping law enforcement agencies clamp down on cybercrime.

However, GDPR laws now require PII (Personally Identifiable Information) to be protected. That means hiding (redacting) all the information relating to the registrant at the top-level registry point. In some cases this means replacing it with the TLD’s domain masking details (see image below.)

A WHOIS search now just returns redacted results with almost nothing upon which identify the owner. For example, performing a WHOIS on our domain returns the following:

*Reference: Nimbus Hosting are our web hosts and domain registration partners and Tucows resellers.

So, what does this mean now to domain name information?

  • It’s much harder to track down who owns a domain for legitimate reasons, i.e. taking over a domain from a rogue IT or web design agency.
  • It’s much harder to find out if the owner behind a website is legitimate.
  • Address details on a .uk domain were considered a reliable source of address details.
  • It’s much harder for SSL validation (and ironically the installation of an SSL is a recommended action under GDPR).
  • How will an EV SSL show the registrant’s details in the browser if they are redacted?
  • It’s much harder to move .com domains – it becomes difficult to know what the admin email address is in order to initiate a transfer.
  • It becomes very difficult (without court intervention) for law enforcement agencies to track cybercrime.

What we at Aubergine don’t understand is this communication from Symantec & DigiCert (one of the largest domain security and registry systems managers) to registries, which includes the following paragraph (for those not familiar with it, ICAAN is the Internet Corporation for Assigned Names and Numbers):

“…The good news is that DigiCert has worked with ICANN, and the organization announced in recent days that registries and registrars will be required to continue submitting information to WHOIS. This will allow continued reliance on WHOIS, with a few changes that you should know about.”

So, if registries are still required to submit WHOIS information (without being able to see or use it) does this indicate that a deal is on the cards between ICAAN and the EU member states’ authorities to relax these rules?

In much the same way as GDPR requires website owners to be given controls to provide consent and set preferences in terms of cookies when web browsing, domain registrars are going to have to provide the end user with a control panel to provide consent for how the data is processed and used. That system will also need to provide constant access so that the end user (registrant) can withdraw consent as easily as granting it.

Fortunately, there are some registrars such as Tucows (who operate the Open SRS system) who have provided a very good step-by-step guide of the new process for registrars and registrants, web agencies, domain resellers and those involved with managing domain names.

At the point of writing this (28th May) we’ve yet to perform one of these new domain transfers. Like all software-related things, it’s usually sensible to wait a while until the first few have been done and documented (and the inevitable bugs found) before doing too many for our clients. You can read the Open SRS domain management article and checklist here:

The positives out of this are:

  • A significant reduction in junk mail and spam contacts from people trying to sell domain owners shady web services the moment a domain is registered
  • As a result of the above, there’ll be a reduction of domain fraud and theft
  • Individuals who own domains and have it registered to their home address will have added anonymity and identity protection.

All of which are great. However, the challenges that the internet-based industry faces to both continue to operate in providing a legitimate service without extra time (and therefore cost) as well as keep the process simple are significant.

However, we think the biggest downside is the effect it will have in fighting cybercrime. The additional bureaucracy and red tape that the law enforcement agencies will need to cut through in the daily battle against online fraud and crime will become huge. In a bid to protect people’s privacy, these GDPR-related changes may have just shot the one thing that people want more of – a reduction in identity theft and cybercrime.

After all, if a person who registers a domain name really wants to hide their privacy they can do that for the vast sum of $9 (or thereabouts) when they register it. Not too much to ask, really.

We wait and watch with anticipation how the industry will work with the new rules.