“Martha: Truth or illusion, George; you don’t know the difference.
George: No, but we must carry on as though we did.
Edward Albee, Who’s Afraid of Virginia Woolf?
Since February, the prominent security reporter Brian Krebs has been writing on his widely-read blog, Krebs on Security, that publicly-accessible WHOIS records are essential to tackling cybercrime. His analysis, coupled with his reputation in the field, has seen campaigns like #WeNeedWHOIS launched to prevent WHOIS from “going dark” because of the privacy protections in Europe’s General Data Protection Regulation. There’s just one problem: WHOIS isn’t going dark; the only fields that are going to be cloaked are those that cybersecurity researchers and investigators might not even need in order to do their jobs. Those who need additional information, such as law enforcement agencies involved in a legitimate investigation, will be able to get more.
In this post, we will explore the small changes coming to the WHOIS, and we will reveal how little an impact they are likely to have when you fight spam, botnets, and DDoS attacks. It is true that some users of WHOIS, such as trademark attorneys, may need to re-think the methods they use to contact registrants, but cybersecurity research will still be able to take place provided you do not access the personal information of domain name registrants.
WHOIS won’t go dark, and it won’t go away.
We would like to begin by debunking the myth that with enforcement of the European Union’s General Data Protection Regulation (GDPR) coming into effect, WHOIS will go dark. All of the data fields which exist today will continue to exist in WHOIS, with all the same data continuing to be collected. However, a very small number of fields will no longer be publicly displayed. Fields which contain the personal information of domain name registrants, such as their home address or phone number, will have to be removed from public view. The majority of fields, and all which are critical to the operation of the Domain Name System, like nameservers and expiration dates, will remain public.
Security researchers who do not rely on personal and sensitive information in order to carry out their work will not be impacted in any way by the GDPR. Security researchers will still have access to the zone file, as it does not contain any personal information. If there is a need for a searchable WHOIS system, which includes proportionate access to personal information, then there will need to be some kind of accreditation mechanism developed to enable those parties with a legitimate need to retrieve these records to do so. This mechanism is not in place yet in an automated fashion, however its absence does not mean WHOIS is going dark.
A fundamental principle of data protection law is that the processing of personal data should be limited to that which is necessary for a defined purpose. Security researchers do not need to be able to identify a domain name registrant, which is the case today where the WHOIS is a public directory of personal information. What most security researchers need is to be able to contact a domain name registrant in case of a technical issue, and this will continue to be the case. One key change is that you will no longer be able to see a registrant’s email address. Under the GDPR, email addresses are considered personal information and must therefore be stored and processed according to strict privacy and security guidelines. As the GDPR was adopted to harmonize the power balance between data controllers, data processors, and data subjects, it would be an unfair burden on the registrant to expect them to use an email address in their registration that could not identify them.
If you need to get in touch with a website’s administrator, you will be able to do so in what is a less intrusive manner of achieving this purpose: by using an anonymized email address, or webform, to reach them (The exact implementation will depend on the registry). If this change is inadequate for your “private detective” activities and you require full WHOIS records, including the personal information, then you will need to declare to a domain name registry your specific need for and use of this personal information. Nominet, for instance, has said that interested parties may “request the full WHOIS record (including historical data) for a specific domain and get a response within one business day for no charge.”
Security researchers and businesses that harvest personal information from the WHOIS today on an industrial scale may need to refine and remodel their research methods and their business models. As we have seen in other fields like clinical care, research can be effectively undertaken with anonymized data to identify patterns.
Privacy/proxy services didn’t break the Internet.
For several years now, some of the WHOIS records have already been cloaked by privacy/proxy services, and the Internet as we know it has not come to an end. While a registrant’s personal information is not available for everyone to see, if you have a legitimate need for a registrant’s home address or phone number, you can contact the privacy/proxy service to request the information. If you have a legitimate need for it, your request will likely be granted, and if they do not cooperate, you could even apply for a court order to require the registrant’s privacy service to disclose this information.
People register domain names because they want to speak, to share knowledge, to uncover corruption. Being able to speak anonymously protects people with unpopular but lawful opinions, allowing them to be heard without fear of reprisal or harm. Privacy/proxy services protect whistleblowers who expose crimes, and they protect cybersecurity researchers, who too would most likely not want their home address scattered all over the Internet. Domain name registrants whose personal information is kept private significantly reduces the registrant’s risk of suffering from harassment, intimidation, and identity theft.
When privacy/proxy services came into effect, some among the anti-spam community argued that those who use such services would most likely be engaged in illegal activities. This, however, turned out to be conjecture. While a small percentage of registrants who use privacy/proxy services do engage in illegal activities, a 2013 study by Clayton and Mansfield (p.18) found that “When domain names are registered with the intent of conducting illegal or harmful Internet activities then a range of different methods are used to avoid providing viable contact information – with a consistent outcome no matter [whether or not a privacy/proxy service] is used.”
In other words, those who register domain names to carry out illegal activities do not provide accurate contact information whether they use a privacy/proxy service or not, so it does not stand to reason that the removal of personal information from the public WHOIS output will lead to an increase in illegal activities.
The GDPR is an evolution, not a revolution.
Gregory Mounier from Europol has been quoted as stating it will be difficult for security researchers to mitigate against botnets if there is no accreditation system in place when enforcement of the GDPR begins:
“If you don’t have an accreditation system by 25 May then there’s no means for cybersecurity folks to get access to this information …Let’s say you’re monitoring a botnet and have 10,000 domains connected to that and you want to find information about them in the WHOIS records, you won’t be able to do that anymore. It probably won’t be implemented before December 2018 or January 2019, and that may mean security gaps for many months.”
This statement is incorrect. The GDPR only applies to personal information like a registrant’s name, home address, and email address, and it does not impact other, more useful WHOIS data elements. Most botnet monitoring today occurs through machine learning and is often an automatic process. The data elements that automated processes use to mitigate against botnets will remain accessible. Moreover, Mounier’s example does not seem to be about the urgent mitigation of botnets, but about an ongoing investigation that entails monitoring and finding information about the perpetrators. That is firmly within the territory of law enforcement agencies, who will, through a system of tiered access, have immediate access to the WHOIS data of registrants. It does not follow that publishing personal data for everyone in the world to retrieve is the appropriate way to serve these legitimate purposes.
Rod Rasmussen, the chair of ICANN’s Security and Stability Advisory Committee, was quoted as saying:
“A lot of people who are using this data won’t be able to get access to it, and it’s not going to be pretty. Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in peoples’ inboxes will be climbing rapidly because a lot of anti-spam technologies rely on WHOIS for their algorithms.”
We disagree. Spam is not going to increase with the advent of the GDPR. Actually domain name registrants, whose emails are currently public, may soon receive less spam in their inboxes. WHOIS is not a sufficient proxy for identifying a spammer, and while it may be one tool in a spam fighter’s toolkit, there are other, better tools that can be used, like IP address blacklists, keywords, and machine learning that can protect our inboxes from unsolicited messages. All in all, it seems ‘WHOIS going dark’ in this context means that anti-spam businesses which have monetized the indiscriminate access to personal information of people in WHOIS, will not be able to monetize it for awhile. If the anti-spam community relies on the personal information of people in order to create its algorithms and tackle spam, then it should rethink its business model. After all, as the anti-spam community itself has said, WHOIS is only one tool to fight spam with!
It’s time to consider the privacy implications of our own activities and how they could impact trust in the shared, global Internet.
There is no question that the work undertaken by cybersecurity experts to mitigate the activities of malicious actors is vital for the security and stability of the Internet. However, like any complex and continually evolving challenge, there are multiple interests that must be balanced. The unfettered use by researchers of the personal information of domain name registrants is disproportionate and unjustifiable, because it does and has exposed these individuals to abuse.
We need to be more creative when it comes to fighting security challenges like botnets and spam. Using the personal data of domain name registrants, retrieved from WHOIS, is no longer the best approach. There are machine learning solutions to fight botnets, for instance, that do not depend on the personal information of a domain name registrant, because quite often these records are incomplete or inaccurate. If you have a need to contact a website administrator, you will still be able to do so come May 25, but if you need to identify someone, then your request will need to be examined for necessity and proportionality.
It concerns us greatly that the Internet can be used to perpetrate crime, and we fervently support bottom-up, agile multistakeholder approaches to policy making. While we recognize the important role of the private sector in combating cyber attacks through the use of the Domain Name System, the WHOIS in its present form does not comply with data protection law. Adherence to the law is key: stopping a phishing attack, important as that may be, simply does not justify breaking another law or violating the individual rights of innocent Internet registrants.
ICANN has had a long history of violating basic data protection norms. We have documented at least 15 letters to ICANN from Data Protection Authorities, the International Working Group on Data Protection in Telecommunications (‘Berlin Group’), and the European Data Protection Supervisor between 2000 and 2018. Indeed, it was the assessment of the Berlin Group back in 2000 that the WHOIS then was not fit for purpose. And it was the opinion of the Berlin Group in 2017 that, “It is questionable whether it is the role of ICANN, as a private corporation, to require its contracted parties to assemble data and provide it, without regard to human rights concerning fair legal procedure, to the global law enforcement community, and to private sector security companies.”
The privacy rights of domain name registrants have been ignored for far too long by ICANN. While proxy/privacy services provided some level of protection, they were marketed as a value-added service and had minimal consumer uptake. As our understandings of privacy have evolved, and the implications of modern technologies on our society have become more apparent, people around the world have expressed concerns over how their personal data is used, and what control they have over it, in our new, data-powered world. It is up to all of us who care deeply about the future of the Internet to consider how we can respect the fundamental right to privacy, something bestowed upon all of us, while carrying out our own missions. This is not just about adhering to the GDPR or other privacy and data protection laws; this is about recognizing that information that can identify people is personal data. If we are to meet the challenges of globalization, use data to deliver new products and services, and keep the Internet a trusted place for everyone everywhere, we all need to think carefully about how we can respect the privacy rights of Internet users.