The purpose of this long blog post is to keep you informed of a significant development in the domain registration business, how it will affect you, what action you need to take and how to protect yourself from the criminals who will take advantage of the confusion that will no doubt be generated. We have also sent this via email to our clients.
The GDPR
In the last few months you may have heard rumblings about a new European law called the GDPR, the General Data Protection Regulation. This is a sweeping new law that will affect people in every corner of the globe, not just in the European Union (EU). It places a premium on the value of individual privacy, and restricts how the personal data provided by an individual may be used by companies and organisations. Fines for breach of the law can reach tens of millions of euros.
The GDPR is a good thing, and will address some glaring problems in our industry that we have referred to on a number of occasions, particularly the public WHOIS system where a domain registrant’s information is available for all the world to see, and is therefore used by scammers worldwide. However, even a good law is still a law and comes with an administrative burden for all parties.
On the hosting side of our business, not much (if anything) will change. We have always closely guarded the personal information of our clients — and that won’t change — and only collected what is technically and legally necessary to provide the services you contract from us.
Domain registrations
On the domain registration side of things, because of the fact that the domain registration system requires a number of entities to co-operate — registrant (you), registrar (currently OpenSRS/Tucows), reseller (NinerNet), registry (various, including Verisign, CIRA, ZICTA, etc.) and ICANN (the Internet Corporation for Assigned Names and Numbers) — you will start to see various transactional emails from us refer to the GDPR (which comes into force on 25 May 2018) and mechanisms for you to provide and, if necessary and possible, withdraw consent for use of your personal data. The need for you to fulfil your obligations as a domain registrant and respond to calls to action in emails will be in addition to actions you have needed to take until now. In short, it should mean a couple more emails per domain per year that you will need to pay attention to, but exactly how this manifests itself will develop over time, especially in the first year after this Regulation comes into force.
While it’s a reasonable question to ask why an EU law will apply to people and companies outside of the EU, the fact is that, worldwide, domain registries and registrars intend to comply with this Regulation and adopt a uniform system for managing it. Many jurisdictions have privacy laws, but the GDPR looks like it will be the most robust affecting the greatest number of people and the general feeling among proponents is two-fold: 1) Privacy is a good thing and we should follow the most stringent standards in favour of it, and 2) If we have to adjust policies and practices, then it makes no sense to have one set of policies and practices for some people and another for everyone else.
While this law affects all industries (and governmental organisations) in the EU and those (within and without the EU) that deal with European residents, the most visible effect in our industry will be on the public WHOIS (“who is”) system, where your personal information — name, address, phone number, email address, etc. — is currently published in public databases of domain registrants for everyone to see. These databases will continue to exist, of course, but access to them will be restricted, through layered access to a new “gated” WHOIS system, to legitimate accredited users that will include law enforcement organisations and intellectual property lawyers, as well as the registries, registrars and resellers directly involved in a particular domain registration.
Spammers, scammers and fraud artists
The one class of people that we certainly hope will no longer have access to this information is the fraud artists that fill your email every day — despite our best efforts — with offers to enlarge body parts, sell you web design and “search engine optimisation” services, scam you into sending them money for services they’ll never provide, and trick you into providing information to them that will lead to identity theft (phishing). With any luck, this new law will finally almost wipe out the spammers who harvest your email address from the WHOIS. It won’t stop those who get your unprotected email address off your website, or already have it or buy it from these unscrupulous individuals, but it should stop anyone else getting your email address if you change it in your existing domain registration.
But speaking of scams, as sure as night follows day (we’ve seen it before) these changes will no doubt lead to many scammers sending out emails urgently requiring you to take some action or another after clicking a link in their email. The text of the emails will use urgent language designed to scare you, but that they assume you will have heard in the news. They will refer to the GDPR and tell you that if you don’t go to a website and fill in a user name and password for your domain — and perhaps send them money too — your domain will be suspended and deleted.
DO NOT FALL FOR THIS! IT IS NOT TRUE!
As we have said over and over again for more than twenty years, if you receive an email about your domain or hosting from an email address that is not on the niner.net domain, then it is almost certainly a scam. If the email attempts to scare you into taking action immediately, then that only adds to the weight of evidence pointing to it being a scam. If you are concerned and not sure, we’re happy to advise you if you forward the email in question to us before taking any action.
Our new privacy policy
As with many Internet companies, the new GDPR has prompted us to revise our privacy policy. Our privacy policy — part editorial, part serious statement — is unlike any you have ever read. It provides some truth about the real problem with what the true purpose is of many (mostly larger) companies these days, and how we’re very different.
No action required at this time
Finally, no action is needed from you at this time. However, after 25 May you will start to receive email notices directing you to take GDPR-related actions, especially if you change anything to do with your domain, and possibly when you renew it.
If you have any questions, please let us know. Thank-you for your time.