The War Over the Future of WHOIS

For over 20 years, the WHOIS system remained one of the key pieces of internet architecture. As a way to help identify the people behind domains and websites, it was widely used by everything from spammers to journalists and law enforcement agencies.

It was a powerful tool, if an imperfect one, for investigating a wide range of internet issues, legal and otherwise.

Then, one day, it was pretty much gone.

As we discussed back in May 2018, nearly four years ago, the WHOIS system was condemned to die a quiet death. The system, which made domain registrant contact information available to the public, was inherently incompatible with the new EU General Data Protection Regulation (GDPR). This prompted registrars to redact valuable information, regardless of who was applying for it.

However, that death turned out to be not as quiet as it appeared it would be. In the four years since, the Internet Corporation for Assigned Names and Numbers (ICANN) has been seeking proposals to improve or overhaul the status quo.

Unfortunately, despite all that time, we seem to be no closer to a resolution and the only serious proposal would create an even worse system than no system at all.

Background and Basics on WHOIS

The WHOIS system (pronounced “Who Is”) is a decentralized database of all the owners of the various domains accessible on the internet.

ICANN controls the system by requiring registrars, the companies that sell domain names, to maintain the system on their servers. The result is that this enables anyone on the internet to look up whom the registered owner of a site is, complete with contact information.

The system has been around in some form or another since 1982. However, it was in 1998 that ICANN inherited the standard and took it over. Even back then, privacy issues were a hot topic with many concerned that such a public database of personal information would lead to spam, harassment and other issues.

One common resolution to this was the use of domain privacy services. These would act as a middle person between the registrant and the database. Since the contact information was still accurate, it was seen as acceptable under ICANN rules.

However, the system hit a landmine in 2018. The GDPR made such a database pretty much impossible. ICANN scrambled to try and find a workaround but, ultimately struck out.

This left registrars in a difficult position. On one hand, they had ICANN regulations requiring them to maintain a WHOIS database. On the other, they had the EU threatening them with fines for publishing that same information.

In the end, the WHOIS system still exists, but is heavily redacted and censored. Nearly all useful information is either redacted or obfuscated.

However, since 2018 there has been a push to restore at least some of that access to users that may need it. Unfortunately, that has not been a smooth road.

The New Proposal

Finally, after four years of work (through a supposedly “expedited” process), the Generic Names Supporting Organization (GNSO), which is part of ICANN, has proposed a new System for Standardized Access and Disclosure (SSAD).

The goal of the system would be to allow accredited users access to the raw information in the WHOIS database. This way law enforcement, investigators, journalists and others with legitimate need could get the data, though the public at large would be shut out.

While this may seem like a fair and appropriate compromise, the devil, as the expression goes, is in the details. Unfortunately, there are many devilish details.

First off, the system will take an estimated six years to implement. Meaning that, even if approved today, we likely won’t see it until 2028. Also, the system is estimated to cost up to $106 million per year, an amount that would be passed on to users.

However, the far bigger problem is that the system will likely be of limited use. The system works by having a centralized place to request information. However, there is no guarantee that the information provided will be accurate or timely since it’s ultimately up to the registrar, not ICANN, to provide it.

As such, there is no guarantee that the registrar will return anything at all (registrars can choose not to disclose) or that what it does return is accurate and complete. To make matters worse, the results may not return for days, which is an eternity for many types of investigations (such as phishing sites or scam sites).

But even after all this, ICANN admits that their policy does not and cannot override GDPR. As such, we are basically back to square one when it comes to ICANN vs. GDPR and all we have is a proposal for a limited, slow, expensive, inaccurate and inconsistent tool that, if implemented, is still six years away.

It’s easy to see why no one, including ICANN, is happy with this proposal, and it looks to be dead on arrival.

To call this a train wreck is putting it modestly. But there’s only one party to blame: ICANN itself.

How ICANN Let Everyone Down

The WHOIS system goes back to the early 80s and has been the sole dominion of ICANN since 1998. That means the system has been around for 40 years and for 24 of those years, ICANN has been in charge of it.

These privacy issues are not new. They were hot topics in the nascent internet as much as they were in the modern one. Though they managed to pass several consensus policies regarding WHOIS, none really targeted privacy, other than one that changed the terms of service for WHOIS to make it unlawful to use it for marketing purposes.

ICANN did, at one point, attempt to create a standard for domain privacy services, but that never came to fruition and is still “undergoing implementation” many years later.

ICANN has had more than two decades to find a solution to the obvious privacy issues that still allows those with legitimate needs access to the data. Yet, for 24 years, they’ve been unable to do anything other than pass the most minor changes to the system.

Then in 2017 and 2018, everything came to a head and ICANN found itself caught flat-footed against new regulation. They scrambled to come up with any answer, even if it meant destroying what limited usefulness the WHOIS system still had.

Whether ICANN didn’t prioritize these problems, their system is so cumbersome that change is impossible or there was just too much controversy, ICANN failed the internet when it comes to this issue. For that, it’s both a little less safe and a little less private.

Bottom Line

In the end, the usefulness of WHOIS had been waning for many years before 2018. Domain privacy services, though supposedly a middleman for the registrations, rarely functioned as such. One estimate says that WHOIS returns accurate and useful results less than 30% of the time.

At this juncture, there’s little reason to keep it around. Inaccurate and incomplete to the point of being less than useless, those that need the system have likely long found other paths to get the information they need (often going through the courts).

I have no doubt that there are ways to balance the safety of the internet with the privacy of registrars, but it’s pretty clear that ICANN is not the organization to figure it out. They’ve had 24 years with this problem and have come up with nothing.

To make matters worse, their newest proposal is so bad, most see it as less desirable than the status quo.

It’s a pretty spectacular failure. But somehow, it just keeps getting worse.