Patented methods help Thick Whois registries handle privacy law compliance.
The U.S. Patent and Trademark Office has granted patent number 10,979,384 (pdf) to Verisign (NASDAQ: VRSN) for Systems and methods for preserving privacy of a registrant in a Domain Name System.
I wrote about the patent application in 2017 after it was published.
The patent describes methods for domain registries with Thick Whois models (in which the registry is required to store personal data) to comply with data laws. It’s Whois privacy with some twists, including using privacy providers in jurisdictions that are allowed to handle the data:
Provided herein is a solution to addresses the problem described above by defining a method by which personal information collection is delegated to privacy providers residing in a locality where it is legal to store the personal information. This addresses the problem of adhering to privacy laws by automating the production of a ‘cloaked identity’ that only the privacy provider knows is associated with the person. This cloaked identity can then be given to the person who’s identity is being cloaked and to various entities that need to associate some form of identity with data or a service the cloaked person is registering. The cloaked identity is not associated with the personal information of the person except within the data storage of the privacy provider, and the privacy provider will not disclose that information unless a legal mechanism applicable to the locality of the privacy provider is used. The person’s private or personal information is therefore shielded except in cases where it is legally retrieved from the privacy provider.
The system could also create DNS records, such as for emailing the domain owner:
In some examples, the cloaked identity can include a cloaked email address. If the cloaked identity is a unique cloaked email address, several other benefits are possible. The cloaked email address can be used to communicate with the person without having personal information being accessible by a party that knows the cloaked email address unless they go through a legally accepted process to get it from the privacy provider. If the cloaked email address and the public key for a person is recorded in an secure/multipurpose internet mail extensions (“S/MIME”) A-type record (also called a S/MIMEA) in a DNS server under a domain owned by the person, then proof of origin of data and email from the person can be enabled using digital signature. Proof of origin for an email is achieved if the person has used their private key to sign an email sent using the cloaked email account and a recipient uses the person’s public key received from the S/MIMEA record for the cloaked email account to verify the person’s digital signature.
Verisign’s .com namespace was scheduled to switch from a Thin Whois system to a Thick Whois System in 2018, but that has been delayed as ICANN wrestles with GDPR.
Andrew Fregly, Principal Engineer at Verisign, is listed as the inventor. Verisign applied for the patent in March 2016 and it was granted today.