Solving The WHOIS GDPR Problem

Identifiers, not identities

Recently, ICANN received a letter explaining that the WHOIS database, which contains registration information for all existing domain names on the Internet, will be in violation of the European General Data Protection Regulations (GDPR) law when it goes into effect on May 25, 2018.

ICANN has responded, stating in essence that it has no solution to put in place prior to that date, and it needs an exemption, at least temporarily.

If WHOIS goes dark, it will be a significant blow to the infosec research community, as WHOIS data is often pivotal (no pun intended) when enriching data during an investigation.

A quick and efficient solution that would preserve the utility most need from a public WHOIS database is this: Replace identity information with identifiers. Rather than listing name, address, email, etc. for a domain owner, assign them a globally unique identifier. This identifier can then be used to do things such as determine which other domains are owned by the entity in question, without exposing their private information.

If communication with the entity behind the identifier is needed, it can be brokered in much the same way existing WHOIS privacy services handle this issue.

This will preserve much of the functionality needed from a public WHOIS, at least from the point of view of infosec professionals, while preserving the privacy of the domain owners.

As an added benefit(?), this will eliminate the need for WHOIS privacy vendors, allowing for one unifying, standardized format for representing public WHOIS data.

Just a thought.