Encryption could solve Whois crisis


The Anti-Phishing Working Group (APWG) has proposed a solution that could potentially resolve the ongoing Whois crisis. The General Data Protection Regulation (GDPR) recently enforced in the EU prohibits publishing personal data of domain name registrants on Whois although it is required by ICANN. Any attempts to compromise on the issue have not succeeded yet.

Domain Incite reports that APWG has sent a letter to ICANN with a proposal to encrypt registrants’ data for publication. Each registry and each domain registrar will have to generate their own encryption key. Registrants’ personal data protected by GDPR (contact info, etc.) will be encrypted using standard algorithms such as SHA-512. The fields on Whois containing private data would show the hash, a long string of gibberish that does not give out any information to users. This would be in compliance with GDPR. At the same time, cybersecurity experts or right holders could compare the hashes and track the domains that belong to the same registrants and that are used unlawfully, be it spam or a website for selling counterfeit products.

The solution is not flawless and will require huge efforts and resources from registries and registrars to implement encryption. Moreover, a unique private key for each registry and registrar will make it impossible to find violators that register domains in different domain zones or with different companies. However, this is one of the first attempts to propose a specific solution to the problem.