The GDPR could push ICANN to hide certain WHOIS information – that’s a problem
The GDPR may have some unintended consequences for WHOIS data and ICANN when it goes into effect on May 25. Under pressure from domain name registrars citing General Data Protection Regulation (GDPR) compliance, ICANN has proposed an interim plan that would hide critical WHOIS data.
This looks to be a big problem for security professionals that rely on ICANN’s WHOIS data to track down cybercriminals and keep the internet secure.
There’s a lot going on here, so let’s Hash it out.
What is ICANN?
The Internet Corporation for Assigned Names and Numbers (ICANN) is a not-for-profit organization that coordinates the maintenance and procedures for the namespaces of the internet. Put simply, ICANN helps ensure the stable, secure operation of the internet.
What is WHOIS?
WHOIS is a protocol for querying the internet databases that store information on users or assignees of internet resources. WHOIS registries typically contain organizational information in addition to domain names, IP address blocks and other autonomous systems. In many ways, WHOIS is like an internet phonebook. It’s used for a range of activities, from security research purposes to helping complete domain control validation checks for Certification Authorities. WHOIS stores and delivers information in a human-readable form.
What is the problem with WHOIS and the GDPR?
ICANN and the domain registrar industry have had an ongoing debate about the GDPR, which goes into effect May 25, and how to align WHOIS with the new privacy regulations. At stake is the nature of WHOIS, which, as we discussed, functions like a phone booth and contains personal identifying information (name, email address, physical address, phone number, etc.) on the company or individual that registered a given domain.
There is a current procedure in place for this that the registrars are fighting. That procedure, which is explicitly for when WHOIS conflicts with privacy laws, is a bit long-winded but provides a path forward where compliance can coexist with law enforcement or judicial investigations. Essentially, the procedure outlines five different actions that can be taken to help balance the rights of an individual with the needs of an authorized investigation.
Unfortunately, domain registrars are pushing ICANN to close the WHOIS “phonebook” entirely. In response, ICANN has proposed an interim solution it has nicknamed “the Cookbook.” The cookbook would censor email addresses, making it far more difficult to discover who is managing or controlling a given resource on the web. ICANN has also proposed obfuscating corporate information, despite the fact it’s under no obligation to do so under the GDPR. Unlike in the US, corporations in Europes don’t enjoy the same rights as individual people.
As the team at RiskIQ writes regarding ICANN’s proposed interim solution:
The ability to register domains anonymously is a massive problem for the security of the internet—attackers need to establish an infrastructure to originate their attack and set up servers to communicate with their malware. Often, they’ll register multiple domains at the beginning of an attack campaign for use during all phases of their operations. Security professionals rely on the WHOIS protocol to query for ownership information about a domain, IP address, or subnet. Without this data, it becomes significantly more difficult to rapidly take down phishing sites or compromised domains hosting malware—the vast majority of cybercriminal activities.
As the statement says, in addition to the other redactions, the cookbook approach would also make it impossible to see websites that are connected under the same management.
Why is this happening?
“…anything that will reduce the security line item on their budget is most welcome, if they can get away with it. Too many registrars would rather conceal the connectedness between domain assets than lose business or deal with reports of malicious activity. GDPR has become the perfect excuse for this because there is always ambiguity when new laws come out. If they can take advantage of this uncertainty to make the domain system more closed and private for their financial gain, they will certainly do it.”
I’m going to hedge a little on this and not categorically slam all registrars. After all, our parent company operates in an similarly interesting niche in the SSL industry and we wouldn’t be pleased to be lumped in with the the Trusticos of the world. So let’s just say some registrars may operate this way, but others are genuinely mindful of the responsibilities that come along with running their business.
Still, if the registrars get their way it’s going to cause a lot of problems for the rest of the internet. So far ICANN’s Government Advisory Committee (GAC) has suggested to its board that it should maintain the current structure of WHOIS as ardently as possible. The GAC’s Public Safety Working Group took that advice a step further, stopping just short of begging ICANN’s board to reconsider its “cookbook” proposal. The Public Safety Working Group also reiterated that this was an over-application for the General Data Protection Regulation, given that it blocks access to corporate contacts and in many cases prevents companies from protecting their own infrastructure.
What’s going to happen next?
The greatest fear in this scenario is that ICANN will just shut off access to WHOIS completely while it re-designs its phonebook to be GDPR compliant.
You can’t just close the book and tell security professionals, who rely on WHOIS data to keep the internet safe, to come back when it’s re-designed, potentially months later. It’s entirely unacceptable for ICANN to leave each registrar to decide if and how it will provide continuous access, with no means of enforcement. Continuous access must be mandatory.
To that end, RiskIQ has written an open letter to ICANN’s leadership urging to to act in the best interest of a secure internet. You can sign it here.
We will keep you apprised of this situation as it does pertain, to some extent, to the SSL industry as well. Currently there is debate at the CAB Forum about eliminating domain validation methods that make use of WHOIS record checking. Several Certificate Authorities, including Entrust, have requested more time so they can put together data and potentially make a counter proposal to strengthen those validation checks.
Regardless, the future of WHOIS seems to be mired in uncertainty. We’ll keep you posted.
Check out the rest of the Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach