An important tool for cybersecurity researchers and law enforcement may be the first victim of Europe’s new privacy law.
On April 11, the Internet Corporation for Assigned Names and Numbers (ICANN) made an unsurprising announcement signaling jeopardy for the “WHOIS” database, its decades-old system for keeping public records of who controls the hundreds of millions of internet domain names. After the EU said the system was illegal under the General Data Protection Regulation, which comes into force on May 25, ICANN announced that unless it is given more time to develop an alternative, WHOIS is likely to fracture or cease to exist entirely.
That’s a big deal for law enforcement. White House cybersecurity coordinator Rob Joyce noted on Twitter:
EU's GDPR is going to undercut a key tool for identifying malicious domains on the internet. WHOIS database will be noncompliant, or have to purge the data that makes it useful to find bad actors. @briankrebs is spot on. Cyber criminals are celebrating GDPR. https://t.co/GAH945ft5l
— Rob Joyce (@RobJoyce45) April 16, 2018
Below is an overview of what WHOIS is and why people such as Joyce are concerned.
ICANN is a nonprofit that organizes the system that computers use to interact with each other through numeric IP addresses. It also links those numbers to the system of text domain names (like Lawfareblog.com) that humans use to access the internet.
ICANN also maintains WHOIS, a public database that tracks the registered owners of domain names. To obtain ICANN certification, a domain registrar—like GoDaddy or Google Domains—must collect contact information from its users, including name, email and mailing address. Those requests are not toothless: Users who provide false information or fail to update information risk having their domains suspended or canceled. That contact information is then shared with ICANN, which publishes it in the WHOIS database. (Some registrars offer a privacy-protection service to mask identifying data from public searches, but they still keep the data on file.)
WHOIS, in its current form, is in conflict with Europe’s new privacy law. The General Data Protection Regulation, or GDPR, imposes obligations on companies that gather, process or hold the personal data of European residents, including constraints and requirements related to data retention, public access to data, international data transfers and data security. After ICANN proposed an interim GDPR compliance arrangement on March 18, the EU data privacy commission said the proposed arrangement was too vague to meet the above criteria.
ICANN says it can develop an adequate alternative system under the GDPR by accrediting some parties—such as journalists, law enforcement and trademark enforcers—who would be permitted to access the information. But ICANN says it would need until December to even develop a proposal for that system, let alone to implement one. Rod Rasmussen, the head of ICANN’s Security and Stability Advisory Committee, has said it would take even longer for such a system to be accredited. Security researcher and investigative journalist Brian Krebs reports:
Rasmussen ... said ICANN does not have a history of getting things done before or on set deadlines, meaning it may be well more than six months before researchers and others can get vetted to access personal information in WHOIS data.
Asked for his take on the chances that ICANN and the registrar community might still be designing the vetting system this time next year, Rasmussen said “100 percent.”
Without an extension, ICANN’s chief executive says the WHOIS database will fragment: Different registrars will turn over different types and amounts of data based on how they interpret their GDPR obligations, rendering the database unreliable.
The problem is that registrars, and not just ICANN, face liability under the GDPR for sharing information with WHOIS if the ICANN system is not compliant. Most major registrars are private corporations with shareholder obligations that make it harder to justify multimillion-dollar penalties. GoDaddy is already reining in access to data in the WHOIS system.
For its part, the Commerce Department has sent a letter to ICANN expressing “grave concern … given the U.S. Government’s interest in maintaining a WHOIS service that is quickly accessible for legitimate purposes” and asking ICANN to examine whether GoDaddy was violating its accreditation contract. Commerce is right to be worried. Trademark enforcers rely on the database to identify the responsible parties for sites that violate intellectual property laws. The Federal Trade Commission has said WHOIS is essential to the agency’s consumer protection regime.
More critically, computer-crime investigators at the FBI have long relied on the database to track down bad actors on the web. In 2003, a senior official in the cyber division told Congress that his investigators were using WHOIS “almost every day.” He said that accurate database information was invaluable but that even when WHOIS returned inaccurate data it allowed investigators to serve subpoenas on the host to produce identifying information. WHOIS was important enough to the bureau’s activities that in 2008, it was looking to invest in creating a custom system to streamline access to the database. And as recently as 2016, the FBI noted that WHOIS plays a role in its investigations into worms, phishing, botnets, pharming, online gambling and online fraud. Even where the government could access the relevant information through other means when necessary, a fractured WHOIS system would substantially slow down those efforts.
Private security researchers and journalists could feel the effects of a fragmented system even more acutely than law enforcement. Brian Krebs writes:
WHOIS is probably the single most useful tool we have right now for tracking down cybercrooks and/or for disrupting their operations. On any given day I probably perform 20-30 different WHOIS queries; on days I’ve set aside for deep-dive research, I may run hundreds of WHOIS searches.
WHOIS records are a key way that researchers reach out to Web site owners when their sites are hacked to host phishing pages or to foist malware on visitors. These records also are indispensable for tracking down cybercrime victims, sources and the cybercrooks themselves. I remain extremely concerned about the potential impact of WHOIS records going dark across the board.
And while law enforcement has other legal mechanisms to compel at least some data to identify domain owners, private security researchers do not have the same authorities.
ICANN bears some of the blame for this debacle. By many accounts, it has ignored warnings from the EU for more than a decade and, though the EU Parliament approved the GDPR in 2016, ICANN began developing a compliance plan only six months ago. Although it is a position of ICANN’s own making, without a last-minute extension on GDPR enforcement from the EU, ICANN doesn’t have many options.
Allowing the WHOIS database to fracture is not a wise method to censure ICANN for its foot-dragging. With democracies under siege from online election interference and active-measures campaigns, this is no time to hamper governments’ and security researchers’ abilities to identify and arrest cyber threats. ICANN and the EU should find a mutually amicable arrangement soon.