Towards an in-depth redesign of the WHOIS system: with what risks?

Towards an in-depth redesign of the WHOIS system: with what risks?

April 23, 2019

An ICANN working group has submitted a report for a major review of the operation of WHOIS, the Internet Domain Name Database System. The proposal for a single, centralized base is not without risk.
The ICANN Working Group on Internet Domain Name Directories submitted a report 2 days ago which could lead to a major revision of the way WHOIS works, the system of databases that manage domain name information. And the proposal to create a single and centralized base, probably hosted in the US, is not without risks.

Why review WHOIS?

Today, the WHOIS system poses two types of problems, related to its consistency and the protection of privacy. WHOIS is now a decentralized system, in which each registry is responsible for information about the domain names it is responsible for. Thus, in the absence of strict rules that apply to all, we do not have exactly the same information for one area or another, according to the register that deals with it. Beyond the technical information, some registers disclose very detailed information about the holders of the domain names. This information includes names of people with their email address and phone number. Other registers are much stricter on the respect of the private life and do not expose at all this information, which they keep confidential. This is not neutral, as it is well known that WHOIS databases are a source of e-mail addresses for spammers of all kinds.
That could upset our habits a little: who among you has never launched a WHOIS request to see which entity or person was behind a particular domain name? Clearly, if this proposal were adopted, the potential gain in terms of privacy protection would be paid by a decrease in the transparency of the system: it will no longer be known who owns a domain name.

Centralization of data in the US

From a data security point of view, it is hoped that the future global, centralized WHOIS database will benefit from the highest level of security possible, since fraudulent access to this database and the theft of millions of e-mail addresses would appear to be a real problem, just like a technical incident that would affect all the domain names of the Internet and the activity of all registers. But that may not be the real danger, if you look at it in the light of recent revelations about the PRISM surveillance system put in place by the United States. So we can ask the following questions:

Is it reasonable to entrust a US-based organization with a centralized database of all Internet domain names?
What will happen if one day the NSA or the CIA had a privileged entry to this system and decided to use it to divert domain names from their legitimate owners ??
It seems to me legitimate to ask these questions, and it would be good for the European Union to take a serious look at this issue.