The directory is WHOIS, a protocol from the early 1980s built for a network where knowing who ran each host was an operational courtesy among a few hundred institutions. It survived, essentially unchanged, into an internet of hundreds of millions of domains. Under ICANN's registrar contracts, anyone registering a .com, .net, .org, or other generic top-level domain had their registrant details published in plaintext, queryable by anyone with a terminal.
The consequences were predictable and well documented. Spammers scraped WHOIS for fresh email addresses and phone numbers. Harassers used it to find home addresses of bloggers and forum moderators. Data companies built historical archives, snapshotting records daily, so even registrants who later hid their details remained visible in the past tense. Domain squatters watched registration records for intelligence. Journalists and researchers used the same openness for accountability work, tracing scam infrastructure and disinformation networks, which is the genuine trade-off in this story: the same record that outs a blogger also outs a phishing operation.
What changed in 2018
The GDPR forced the issue. Publishing EU residents' personal data in a global directory without consent was plainly incompatible with the regulation, and in May 2018 ICANN adopted a Temporary Specification requiring registrars to redact personal data from public gTLD records. Almost overnight, most WHOIS results for .com domains went from a full contact card to "REDACTED FOR PRIVACY," and registrars applied the redaction globally rather than maintaining separate handling per jurisdiction.
The protocol itself was replaced too. RDAP, the Registration Data Access Protocol (RFCs 7480 through 7484), does what WHOIS could not: it runs over HTTPS, returns structured JSON instead of free-form text, and supports differentiated access, meaning a court or accredited investigator can potentially see more than an anonymous query. ICANN required gTLD registries and registrars to serve RDAP in 2019, and the old port 43 WHOIS service for gTLDs was formally sunset in January 2025. The name "WHOIS" persists colloquially, but the plumbing underneath is RDAP now.
Redaction hides your data from public queries. Your registrar still collects and stores your real name, address, and contact details, verifies them under ICANN accuracy rules, and discloses them in response to valid legal process. Registration privacy is publication control at the directory level. It has never been anonymity from the registrar or from courts.
The exceptions that catch people
The post-2018 default is good, but it is a default with holes, and the holes are where real-world exposure happens.
History is forever. Commercial WHOIS-history services hold snapshots going back two decades. If you registered a domain before 2018 without a privacy service, your details from that era are retrievable today regardless of what the current record shows. This is a standard technique in OSINT investigation and in deanonymization generally: the current record is clean, so you check the archive. If this applies to a domain you own and the address is one you still live at, it is worth knowing that the exposure exists; there is no reliable way to purge commercial archives.
Country-code domains set their own rules. The GDPR-driven redaction applies to generic TLDs under ICANN contract. Country-code registries answer to their own governments and policies. Nominet redacts individuals' data for .uk. CIRA applies privacy protection to individual registrants of .ca by default. At the other end, the .us registry policy, set under the US Department of Commerce, prohibits privacy and proxy registration outright: register a .us domain and your verified contact information is public, full stop. Anyone choosing a domain ending for a personal or activist project should read the registry's privacy policy before the marketing page.
Corporate registrations are treated differently. The redaction regime targets personal data of natural persons. Legal-entity registrations may remain published, and some registrars publish organization fields even when personal fields are redacted. If you registered a personal project under a company name that traces to you, the record may say more than you expect.
Privacy services, and when to still use one
Registrar privacy or proxy services predate the GDPR changes: the registrar substitutes its own proxy identity and a forwarding email in the public record. Since redaction became the default, these services matter less for gTLDs than they once did, but they still add two things. First, a proxy service replaces the record entirely rather than redacting fields, which also covers the organization and state/province fields some registrars continue to show. Second, some registrars' redaction practices differ in scope; a proxy is unambiguous. Most large registrars now include one free. If yours charges for it and you care, that is a signal about the registrar.
A short practical checklist for registering a domain you do not want tied to your identity in public records:
- Pick a gTLD (or a ccTLD with individual-privacy policy) over .us or similar mandatory-disclosure endings.
- Confirm the registrar's privacy/proxy service is enabled before the registration completes, not after. The first snapshot happens fast.
- Use a dedicated email alias for the registration, both for the record and because registrar accounts are a target for domain hijacking.
- Remember DNS itself leaks context: nameservers, mail records, and certificate issuance in Certificate Transparency logs are all public and all tell a story about who operates a domain.
- If the stakes are genuinely high (whistleblowing, work under a hostile government), a domain registered with payment details is the wrong tool. That threat model points toward infrastructure that never touches your identity, like onion services.
Where the policy fight is now
Redaction created a genuine tension that has not been resolved. Security researchers, trademark lawyers, and law enforcement lost a tool they used daily, and much of the post-2018 policy work has gone into building a gated replacement: ICANN's disclosure-request system lets parties ask registrars for redacted data with a stated legal basis, and RDAP's tiered-access design anticipates accredited parties seeing more than the public. Whether that gateway becomes an efficient accountability tool or a rubber stamp for bulk access is an open question worth watching, because it is the same question every privacy system eventually faces: who gets to pierce the veil, and who audits them.
The domain registration story is, in miniature, the story of internet privacy generally. A system designed for a small, high-trust network published everything; it took a regulation with teeth to change the default; the change arrived decades after the harm began; and the historical data remains. The lesson for anything you publish or register today is the one the pre-2018 registrants learned the hard way: assume every public record is being archived by someone, and decide what goes into it accordingly.