The Internet Corporation For Assigned Names and Numbers (ICANN) is still in the process of developing an interim compliance model to address concerns surrounding GDPR.
In an earlier blog post, I mentioned that ICANN was scheduled to meet with European Union data privacy authorities this week to try to get more time to reconcile the requirements of the European Union General Data Protection Regulation (GDPR) and ICANN’s requirements to publish WHOIS data for domain name registrations.
Göran Marby, the President and CEO of ICANN, posted an update on the April 23, 2018 meeting between ICANN and the EU Article 29 Working Party. In addition to providing information from key stakeholders in support of ICANN’s plans, ICANN proposed a one-year phased transition period to allow it to implement changes to limit access to personal registration information and to address GDPR concerns.
During the meeting, the Working Party representatives did not agree to a moratorium but made clear that ICANN must anonymize registrant, administrative and technical contact email addresses by May 25, 2018 or face substantial penalties for breach of the GDPR.
“We appreciate the feedback we received during the meeting,” Marby said, as quoted in the update. “From our discussions, we agreed that there are still open questions remaining, and that ICANN will provide a letter seeking additional clarifying advice to better understand our plan of action to come into compliance with the law. We also understand that the community may have opinions regarding the clarifications or interpretations of the law provided by the DPAs. All of this information is needed for the ICANN org and community to move forward, so that we can continue to establish the necessary milestones for compliance, and ultimately implement a model that is fully compliant with the law.”
Unless ICANN can find a an EU court willing to block GDPR enforcement actions against it, you can expect WHOIS to go dark as of May 25, 2018 at least with respect to EU-source data until ICANN can work out a GDPR-compliant solution.
For additional perspective on WHOIS records and how they factor into OSINT, check out guest contributor Bob Covello’s blog post.