Exhibit A: Whois Privacy Changes

Due to the European Union General Data Protection Regulation (GDPR) going into effect on May 25, 2018, the Whois settings for domain names purchased through NetResult Web Marketing will also change beginning May 25, 2018, even for those NOT part of the European Union. Whois Privacy settings will change as follows:

View a more clear image of these changes in this PDF download, that opens in a new window. This PDF was written before May 25, 2018, so disregard the first two illustrations in the PDF...but the third and fourth illustrations are valid and can be helpful.

Do we still need Whois Privacy Protection?

Absolutely.

Regardless of any changes to the Whois system, Whois Privacy will remain a valuable service to registrants worldwide. Even when the public Whois “goes dark”—has data hidden, it is certain that there will still be a gated Whois, where registrant data will be made available to parties with a legitimate interest. So, while the audience for registrant data may no longer be the entire public, it will still be sizable.

This is where Whois Privacy comes in—if privacy is active on a domain, the personal data in the registration record will remain protected from those with access to the gated Whois. The service also provides a way for third parties to contact the domain owner via the privacy service email address displayed in the Whois output, an option that will not be provided as part of GDPR data protection. In addition, the personal data associated with a domain that is protected by Whois privacy will not be shared with registries.

Why is Whois Changing?

The Whois directory is a powerful tool. You can look up who owns a domain to find their phone number, email, even their postal address. You can check when a domain was first registered, where it’s hosted, when it expires — that’s a lot of information available with just a few clicks. And because this system has been around for so long, and is such a fundamental aspect of the internet, we often assume that how it currently works is how it should work. But just because something has been a certain way for a long time doesn’t mean it must always be that way, and the GDPR’s implementation has prompted the re-examination of many processes and policies.

What is Changing?

One particularly impactful section of the GDPR is Article 5, which lays out “principles relating to processing of personal data.” This is highly relevant to the Whois system, which is essentially just a repository of data, much of which is personally identifiable information about individuals. Under the GDPR, personal data may be collected and processed only when there is a legal reason to do so. For example, one such justification would be the performance of a contract; another is a situation where the data subject (the person to whom the data pertains) has given explicit consent for their data to be processed or collected.

The principle of data minimization requires that the data collected be relevant and limited to what’s truly necessary to carry out the agreed-upon purpose for which the data is being collected. To add to this, the principles of purpose limitation and confidentiality limit the handling of personal data such that it cannot be processed or shared for any purpose other than that to which the individual initially agreed.

Thus, in compliance with the GDPR:

• We can only collect the minimum amount of data necessary to perform a specific action (e.g. register a domain)
• Data can only be shared when there’s a legal basis to do so
• Data can only be shared when necessary to fulfil the intended purpose of the data collection

All that being said, the GDPR recognizes that there are times when there is a real, justifiable need for a third party to obtain personal data, such as domain ownership information, and these “legitimate interests” are also provided for within the policy. Think about, for example, an intellectual property lawyer who wants to know the owner of a domain in order to submit a trademark dispute, or a law enforcement officer tracking down the people behind a phishing scheme; they should be able to find out who owns the domain name under investigation. We need some way for Whois information to be provided to the people and organizations who have a legitimate reason for requesting it—but one that doesn’t involve publicly exposing this sensitive data by default.