{"id":6147,"date":"2018-03-28T14:17:49","date_gmt":"2018-03-28T18:17:49","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=6147"},"modified":"2020-11-24T11:58:58","modified_gmt":"2020-11-24T16:58:58","slug":"gdpr-whois-icann-match-made-hell","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/gdpr-whois-icann-match-made-hell\/","title":{"rendered":"The GDPR, WHOIS and ICANN: A match made in hell?"},"content":{"rendered":"

The GDPR could push ICANN to hide certain WHOIS information \u2013 that\u2019s a problem<\/h2>\n

The GDPR<\/a> may have some unintended consequences for WHOIS data and ICANN when it goes into effect on May 25. Under pressure from domain name registrars citing General Data Protection Regulation (GDPR) compliance, ICANN has proposed an interim plan that would hide critical WHOIS data.<\/p>\n

This looks to be a big problem for security professionals that rely on ICANN\u2019s WHOIS data to track down cybercriminals and keep the internet secure.<\/p>\n

There\u2019s a lot going on here, so let\u2019s Hash it out.<\/span><\/p>\n

What is ICANN?<\/h2>\n

The Internet Corporation for Assigned Names and Numbers (ICANN) is a not-for-profit organization that coordinates the maintenance and procedures for the namespaces of the internet. Put simply, ICANN helps ensure the stable, secure operation of the internet.<\/p>\n

What is WHOIS?<\/h2>\n

WHOIS is a protocol for querying the internet databases that store information on users or assignees of internet resources. WHOIS registries typically contain organizational information in addition to domain<\/a> names, IP address blocks and other autonomous systems. In many ways, WHOIS is like an internet phonebook. It\u2019s used for a range of activities, from security research purposes to helping complete domain control validation checks for Certification Authorities. WHOIS stores and delivers information in a human-readable form.<\/p>\n

\"How<\/p>\n

What is the problem with WHOIS and the GDPR?<\/h2>\n

ICANN and the domain registrar industry have had an ongoing debate about the GDPR, which goes into effect May 25, and how to align WHOIS with the new privacy regulations. At stake is the nature of WHOIS, which, as we discussed, functions like a phone booth and contains personal identifying information (name, email address, physical address, phone number, etc.) on the company or individual that registered a given domain.<\/p>\n

There is a current procedure<\/a> in place for this that the registrars are fighting. That procedure, which is explicitly for when WHOIS conflicts with privacy laws, is a bit long-winded but provides a path forward where compliance can coexist with law enforcement or judicial investigations.\u00a0 Essentially, the procedure outlines five different actions that can be taken to help balance the rights of an individual with the needs of an authorized investigation.<\/p>\n<\/span><\/span>\n

Unfortunately, domain registrars are pushing ICANN to close the WHOIS \u201cphonebook\u201d entirely. In response, ICANN has proposed an interim solution it has nicknamed \u201cthe Cookbook.\u201d The cookbook would censor email addresses, making it far more difficult to discover who is managing or controlling a given resource on the web. ICANN has also proposed obfuscating corporate information, despite the fact it\u2019s under no obligation to do so under the GDPR. Unlike in the US, corporations in Europes don’t enjoy the same rights as individual people.<\/p>\n

As the team at RiskIQ writes regarding ICANN’s proposed interim solution:<\/p>\n

The ability to register domains anonymously is a massive problem for the security of the internet\u2014attackers need to establish an infrastructure to originate their attack and set up servers to communicate with their malware. Often, they\u2019ll register multiple domains at the beginning of an attack campaign for use during all phases of their operations. Security professionals rely on the WHOIS protocol to query for ownership information about a domain, IP address, or subnet. Without this data, it becomes significantly more difficult to rapidly take down phishing sites or compromised domains hosting malware\u2014the vast majority of cybercriminal activities.<\/p><\/blockquote>\n

As the statement says, in addition to the other redactions, the cookbook approach would also make it impossible to see websites that are connected under the same management.<\/p>\n

Why is this happening?<\/h2>\n

RiskIQ blames it on the registrar industry<\/a>:<\/p>\n

\u201c\u2026anything that will reduce the security line item on their budget is most welcome, if they can get away with it. Too many registrars would rather conceal the connectedness between domain assets than lose business or deal with reports of malicious activity. GDPR has become the perfect excuse for this because there is always ambiguity when new laws come out. If they can take advantage of this uncertainty to make the domain system more closed and private for their financial gain, they will certainly do it.\u201d<\/p><\/blockquote>\n

I\u2019m going to hedge a little on this and not categorically slam all registrars. After all, our parent company operates in an similarly interesting niche in the SSL industry and we wouldn\u2019t be pleased to be lumped in with the the Trusticos of the world. So let\u2019s just say some registrars may operate this way, but others are genuinely mindful of the responsibilities that come along with running their business.<\/p>\n

Still, if the registrars get their way it\u2019s going to cause a lot of problems for the rest of the internet. So far ICANN\u2019s Government Advisory Committee (GAC) has suggested to its board that it should maintain the current structure of WHOIS as ardently as possible. The GAC\u2019s Public Safety Working Group took that advice a step further, stopping just short of begging ICANN\u2019s board to reconsider its \u201ccookbook\u201d proposal. The Public Safety Working Group also reiterated that this was an over-application for the General Data Protection Regulation, given that it blocks access to corporate contacts and in many cases prevents companies from protecting their own infrastructure.<\/p>\n

What’s going to happen next?<\/h2>\n

The greatest fear in this scenario is that ICANN will just shut off access to WHOIS completely while it re-designs its phonebook to be GDPR compliant.<\/p>\n

You can\u2019t just close the book and tell security professionals, who rely on WHOIS data to keep the internet safe, to come back when it\u2019s re-designed, potentially months later. It\u2019s entirely unacceptable for ICANN to leave each registrar to decide if and how it will provide continuous access, with no means of enforcement. Continuous access must be mandatory.<\/p><\/blockquote>\n

To that end, RiskIQ has written an open letter to ICANN\u2019s leadership urging to to act in the best interest of a secure internet. You can sign it here<\/a>.<\/p>\n

We will keep you apprised of this situation as it does pertain, to some extent, to the SSL industry as well. Currently there is debate at the CAB Forum about eliminating domain validation methods that make use of WHOIS record checking. Several Certificate Authorities, including Entrust, have requested more time so they can put together data and potentially make a counter proposal to strengthen those validation checks.<\/p>\n

Regardless, the future of WHOIS seems to be mired in uncertainty. We\u2019ll keep you posted.<\/p>\n

Check out the rest of the Hashed Out GDPR Compliance Series<\/h2>\n