Like many other public databases, Whois serves a vital public interest. It shouldn’t be private by default.
It’s becoming increasingly clear that privacy advocates are using GDPR as an opportunity to demand privacy for all domain name registrants. They are successfully framing the discussion as privacy should be the expectation of everyone, and any exception to that requires scrutiny.
That’s a far cry from today’s status quo. No privacy is the default but privacy can be added.
Perhaps my view is colored by being a U.S. citizen, but I believe privacy advocates are going to far.
I have a reasonable expectation of privacy in my home. I don’t have one when I go out on the street. I also don’t automatically get privacy when I buy a home or car, start a business, or register a domain name.
Anyone in Austin can look up information about a homeowner’s property and its taxes through a centralized database. A record of my car purchase is available from the county or state. My name is attached to my business registrations. And for domains, there’s Whois.
Now, if I really want or need privacy, I can get it. But I have to put a little bit of effort into it. I can use a proxy for my transactions. A homebuyer can create a trust to buy a home or they can request their information be obscured in the county’s appraisal database. I can use a registered agent for my business. And I can use a Whois proxy service for my domain name.
The public is well served by making this information public. They can investigate who is behind a company. They can spot fraud or foreign governments spreading discontent. They can understand trends and find evidence of discrimination using public data.
Those people who need a little extra privacy can readily get it by essentially “opting out” of having their information public.
I’m fortunate to live in a country in which the government isn’t trying to silence bloggers (for the most part).
Anonymity can be a real problem for people in some parts of the world, and it’s an issue that domain name registrars have created a solution for: Whois proxy services, often called Whois privacy.
These services work really well and they can be added for free at many registrars. Registrars are good at pushing these services on registrants, too; GoDaddy adds them by default and asks people to opt out of using them.
Yes, you can interpret GDPR as meaning that Whois information should be private…for EU residents and citizens.
I also understand that the easiest approach for domain registrars is to use a blanket approach across all registrants.
But we should be careful about framing the discussion as privacy-first.
One of the areas this is coming up is with an accreditation system to give certain groups access to full Whois records. Privacy advocates are worried about people getting access to Whois records as these people chase down IP infringers, find phishers and, in my case, perform journalistic research.
Of course, GDPR will still apply to what people do with this data. I’m not going to take 20 unmasked Whois records of EU citizens and publish them. But there’s a real public interest in this data.
This is one of the reasons I believe there will still be a use for Whois proxy services in the age of GDPR. Even with an accredited access model, information will be seen by many groups…including government agencies.
If people truly need protection they can add a proxy service. At the same time, the public is served by making most of the information public.