The future of WHOIS on WhoAPI

It’s been a while since the main focus in our company was WHOIS. And I’ve finally decided to break the radio silence. The main and only reason for now writing publicly about this earlier is because there just wasn’t a clear indication on how exactly the future of WHOIS landscape is going to look like after May 2018 and after the GDPR takes full effect.

Back in 2016 GDPR went live, and the world had 2 years to prepare. Those 2 years are up in May. This new law is going to make a huge impact on a lot of things. Here’s what I am going to focus in this post:

  1. WHOIS in general
  2. WhoAPI,
  3. You as a WhoAPI user (using only Whois API)

How will WHOIS change?

My personal opinion is that we were long overdue on a law like this. And that is all I will share from a personal standpoint. We had absolutely no vote in this change, but we will absolutely comply with this change. It still remains to be seen how exactly the WHOIS will look like after May 2018, so our software may change by then. Right now, we only have rumors and models of possibility.

Proposed Interim Models for Compliance with ICANN Agreements and Policies in Relation to the European Union’s General Data Protection Regulation

You can see in this PDF this is all about the private data in the WHOIS record. Although something like 20% of domain names have WHOIS privacy, and this number is growing, this is not enough. Too many people and companies use private data to spam and scam people. This is a far minority compared to the positive use cases, but nonetheless. If you are relying on WHOIS to get emails, names and phone numbers of domain name owners, your days are probably numbered.

How will WhoAPI change?

One thing is for sure, the future of WHOIS will change, and that will impact one of our APIs. WhoAPI isn’t just WHOIS API. We’ve just revamped our Screenshot API, just last year we launched Domain Score API and this change will have absolutely no impact on our Domain Availability API. Besides, we have other APIs as well. We hope that it is clear to everyone that we are primarily an API company and not a WHOIS company. So what will the change be?

Our Whois API will go through some changes after we see the final model ICANN introduces, and how registrars respond to the growing concerns of the GDPR. GoDaddy made a clear statement to everyone how they will no longer tolerate querying their WHOIS servers. As I’ve already mentioned, if you are looking for emails and phone numbers (which WhoAPI was never about), it may become impossible to get that data in the future. If this data remains available (and I am speculating here) under one of the ICANN models, WhoAPI will impose a stricter application process for access to our WHOIS API.

How will this impact me as WhoAPI user?

If you are using any of our API’s besides Whois API, this will not impact you in absolutely any way. If you are using our Whois API, the impact will vary based on the data you are looking for, and based on the model of WHOIS (how WHOIS will look like) that goes live after May. Again, I am speculating, but if you are using only information such as: domain registration dates, domain expiration dates, name of registrar, nameservers, there’s a good chance you will still be able to access this data. I base my speculation on the ICANN’s proposed model. And it’s just common sense (this is thin whois, and data isn’t considered private).

If you are using domain owner data that contains information such as: email, name, phone number, address, etc. there’s a good chance you won’t be able to access this data anymore.

It is too early to tell or to make guarantees, but if certain ICANN’s model is enabled, AND you have a legitimate positive use case, there’s a chance you might be able to get this data. And no, offering someone a website development just when they register a domain name is not a positive use case. Some of the positive use cases include cybersecurity, tracking down criminals, and fintech.

Our approach to whois after the GDPR

It is the first day after the GDPR is in full motion, and already we were reminded by a certain law firm that it is illegal to contain private data. Therefore I feel it is necessary I write this statement.

First of all, I’ll completely disregard how our American and Indian competition was and is conducting business, and due to this, they were also decimating us in market share. I’ll focus just on us and how we handled whois. Also, this post is not about double opt-in on your newsletter or our privacy policy which we also reacted accordingly and notified our clients. Hint, we didn’t have to change our privacy policy or our terms of use. They were spot on.

What we did have to change is our whois API and IP whois API (EOL in 2022).

For a long time, we haven’t even stored whois on our servers. That’s right. If you asked us the whois for whoapi.com, and then 5 seconds later, another user would ask that same whois, we would go and make the request again. Up until recently we never had a cached version of the whois. We never offered historical whois, nor were you able to purchase “an entire or partial whois database” from us. Never.

Since we did recently start to cache whois to improve speed and put less stress on the whois servers, we did end up having a small whois database. So here’s what we did to comply with the GDPR without waiting for ICANN or other domain registrars.

What we did to comply with GDPR on our whois API

  1. On the 18th of May we warned our clients of the upcoming changes if they were using our whois API and IP whois API
  2. On the 24th, we completely erased the before mentioned database containing whois information.
  3. On 25th we launched an updated whois API and IP whois API so that now it doesn’t display private data
  4. On 26th we reminded our clients that if they still have private data (especially originating from Europe) on their servers, they should consult with their legal department and probably destroy it like we have (and not to take this as a legal advice)

Today, if you make a whois request on our service, you will get some whois information like before (date of registration and expiration, nameservers, registrar name, etc), but not private data (email, phone number, name, etc.). This is retracted with the words “Disabled due to GDPR”. In essence, for us, GDPR was really simple. Simplified, if we couldn’t get the consent to work with the private data (which we couldn’t) we simply deleted it and ignored it. Case closed.

Furthermore, apart from whois, we do have Screenshot API, Domain Availability API, Blacklist API and several other APIs, so this clearly adds to the fact that we are not a WHOIS company, but an API company. So although GDPR and changes in the whois will affect our business we will continue to do business, here’s why.

Without disclosing sensitive information, I can share that a part of our clients isn’t interested in whois at all (remember, we have other APIs). Another part of our clients isn’t interested in private data within whois at all. (We’ve communicated this with them months ahead). And then we had a very small portion of clients interested in the private data. These will likely cancel their monthly subscription and terminate the contract, or they will keep using just the “non-private data”, because that’s all they can get and it is also helpful to them. So far, not a single client has unsubscribed, but we expect this to happen since we do have some cancellations every month.

No private data, even from outside of the EU

Let me reiterate once again the above statement. When I say “we don’t have any private data”, this doesn’t mean “we don’t have any EU private data”! It means we don’t have any private data, period! Whether the domain owner is in Australia, China, Japan, United States, or South Africa, we don’t show the email, name, address or phone number of that domain name owner. Why? Well, as much as this frustrates some of our potential clients, and they proceed to give money to our competitors, we feel that it is not ethically responsible to distribute millions of emails, phone numbers, and addresses to any marketing and sales individual that wants to spam domain name owners. At the end of the day, we sleep better.

We also feel that with GDPR, California Privacy Rights Act, and Brazil Data Privacy Act the writing is on the wall and the trend is clear. Contact details should only be obtained from the owner directly, with their permission. If this confuses you, please read about “Permission Marketing“.

Summary

To summarize, we currently don’t have s single piece of private data on our servers, other than those of our clients which we obtained their consent during the signup process. The whois information we distribute since 25th, does not contain any private data. Same as before, you need to signup if you want to access our services.

GoranDuskic

Goran Duskic has been the Founder and CEO of WhoAPI Inc. since 2011, a company that specializes in developing APIs, including the well-known Whois API. He started his career in internet entrepreneurship in 2006 and has co-founded several online businesses, including a web hosting company that he later sold. Goran's work primarily involves creating practical API solutions to meet technological needs.

Post a Comment

Your email address will not be published. Required fields are marked *