Who’s behind the mask? Domain ownership and GDPR
Why hiding domain owner data is bad for website management and security
Since 25th May 2018 when the GDPR regulations came into force, hundreds of millions of domain admin email addresses have been sent an email. They ask the admin of the domain to confirm more or less nothing – because most of the details have been redacted.
In almost all cases, the fields of information simply display the contact details for the protected identity address used by the registrar:
And yet, these emails are in full accordance with ICANN (Internet Corporation of Assigned Names & Numbers) regulations. How can this be?
There are over 300 million registered gTLD (general top-level domains, such as .com or .co.uk) domain names. Until 25th May 2018, ICANN and overlord to most gTLDs required web domain registrars (123-REG, GoDaddy and the like) to annually confirm by email that the registration details of the owner of the domain name were correct. This included the name, address, telephone, company name (where applicable) and admin email address.
This annual check was pretty important for registrars, developers and law enforcement agencies as it helped them to manage ownership, verify SSL registration and confirm validity – a good way to check against fraud, too.
The email from ICANN showed all the registration details. If something had changed (address, email etc) you had to update it, but otherwise it was just a confirmation of the record. Sensible, right?
Then GDPR went live.
With GDPR, the ICO (in the UK) and their European counterparts deemed that making this vital information publicly available conflicted against the new data privacy regulation and that it must be redacted. This was most likely because of a lack of knowledge and understanding of the practical implications. However, the upshot is that the owner of any domain now has total anonymity and can operate without anyone knowing who they are and where they’re from.
Daily tasks for hosts and web developers (managing websites, keeping their users safe and performing legally permissible transfers) became almost impossible overnight. No longer can a host find the contact details of a website that is suspected of performing fraudulent activity and spamming. Web developers are stuck if they can’t find out who to contact to perform everyday tasks like updating a domain, migrating a site to a new host or installing an SSL certificate – ironically a recommended requirement under GDPR.
Why did it happen? Well, GDPR (General Data Protection Regulation) states that the information of domain ownership was PII (personally identifiable information) and so it must not be visible except to the data controller (the registrar) in order to process their registration as a customer.
Before GDPR, if a private individual (i.e. a private person, sole trader or non-corporation) domain owner wanted to mask their details, they could pay a nominal fee on top of the registration fee to have it masked. This was primarily to protect their home address and contact details. This service was not available to companies whose information is available already on public registers like Companies House.
ICANN are in discussion to seek better guidance on how to handle the visibility of WHOIS information. There is a temporary solution in place that makes it lawful to display WHOIS details for organisations when they are non-specific and use generic contact details. However, that simply introduces an administrative burden on registrars as each domain will need to be reviewed. Additionally, small companies and organisations very often only operate from generic contact details.
The rules right now are confused and disproportionate. The previous system of allowing private individuals to pay to have their details redacted worked well – there was user choice. Now there are no clear rules and we’ll start to see people entering misleading information when registering domains just to circumvent the rules.
So, who will win this battle of legislation? Will it be ICANN, which requires, under international law, all domain owners to confirm their details? Or will it be the EU and UK data protection lawyers?
Either way, hundreds of millions of pointless emails are being sent asking people to confirm inaccurate information. In fact, it’s giving them sight of the details of an organisation that they probably – up to that point – hadn’t even known existed.
Isn’t that actually spam?
ICANN have issued an article about this clash of laws, for anyone interested in how this plays out:
The views expressed in this article are purely based on the information we have sourced and discussions with other industry professionals in the domain and hosting sphere. We really hope we’ve got this wrong – and happy to have egg on our faces – but we think we’re right and if we are, then it’s quite possible that something significant will need to happen to change this. Perhaps with the impending introduction of another new privacy law PECR it may ease things by allowing generic domain registry information to be shown in a WHOIS look up. We watch the story unfold with eagerness.