“Martha: Truth or illusion, George; you don’t know the difference.
George: No, but we must carry on as though we did.
Martha: Amen.”
Edward Albee, Who’s Afraid of Virginia Woolf?
Since February, the prominent security reporter Brian Krebs has been writing on his widely-read blog, Krebs on Security, that publicly-accessible WHOIS records are essential to tackling cybercrime. His analysis, coupled with his reputation in the field, has seen campaigns like #WeNeedWHOIS launched to prevent WHOIS from “going dark” because of the privacy protections in Europe’s General Data Protection Regulation. There’s just one problem: WHOIS isn’t going dark; the only fields that are going to be cloaked are those that cybersecurity researchers and investigators might not even need in order to do their jobs. Those who need additional information, such as law enforcement agencies involved in a legitimate investigation, will be able to get more.
In this post, we will explore the small changes coming to the WHOIS, and we will reveal how little an impact they are likely to have when you fight spam, botnets, and DDoS attacks. It is true that some users of WHOIS, such as trademark attorneys, may need to re-think the methods they use to contact registrants, but cybersecurity research will still be able to take place provided you do not access the personal information of domain name registrants.
WHOIS won’t go dark, and it won’t go away.
We would like to begin by debunking the myth that with enforcement of the European Union’s General Data Protection Regulation (GDPR) coming into effect, WHOIS will go dark. All of the data fields which exist today will continue to exist in WHOIS, with all the same data continuing to be collected. However, a very small number of fields will no longer be publicly displayed. Fields which contain the personal information of domain name registrants, such as their home address or phone number, will have to be removed from public view. The majority of fields, and all which are critical to the operation of the Domain Name System, like nameservers and expiration dates, will remain public.
Security researchers who do not rely on personal and sensitive information in order to carry out their work will not be impacted in any way by the GDPR. Security researchers will still have access to the zone file, as it does not contain any personal information. If there is a need for a searchable WHOIS system, which includes proportionate access to personal information, then there will need to be some kind of accreditation mechanism developed to enable those parties with a legitimate need to retrieve these records to do so. This mechanism is not in place yet in an automated fashion, however its absence does not mean WHOIS is going dark.
A fundamental principle of data protection law is that the processing of personal data should be limited to that which is necessary for a defined purpose. Security researchers do not need to be able to identify a domain name registrant, which is the case today where the WHOIS is a public directory of personal information. What most security researchers need is to be able to contact a domain name registrant in case of a technical issue, and this will continue to be the case. One key change is that you will no longer be able to see a registrant’s email address. Under the GDPR, email addresses are considered personal information and must therefore be stored and processed according to strict privacy and security guidelines. As the GDPR was adopted to harmonize the power balance between data controllers, data processors, and data subjects, it would be an unfair burden on the registrant to expect them to use an email address in their registration that could not identify them.
If you need to get in touch with a website’s administrator, you will be able to do so in what is a less intrusive manner of achieving this purpose: by using an anonymized email address, or webform, to reach them (The exact implementation will depend on the registry). If this change is inadequate for your “private detective” activities and you require full WHOIS records, including the personal information, then you will need to declare to a domain name registry your specific need for and use of this personal information. Nominet, for instance, has said that interested parties may “request the full WHOIS record (including historical data) for a specific domain and get a response within one business day for no charge.”
Security researchers and businesses that harvest personal information from the WHOIS today on an industrial scale may need to refine and remodel their research methods and their business models. As we have seen in other fields like clinical care, research can be effectively undertaken with anonymized data to identify patterns.
Privacy/proxy services didn’t break the Internet.
For several years now, some of the WHOIS records have already been cloaked by privacy/proxy services, and the Internet as we know it has not come to an end. While a registrant’s personal information is not available for everyone to see, if you have a legitimate need for a registrant’s home address or phone number, you can contact the privacy/proxy service to request the information. If you have a legitimate need for it, your request will likely be granted, and if they do not cooperate, you could even apply for a court order to require the registrant’s privacy service to disclose this information.
People register domain names because they want to speak, to share knowledge, to uncover corruption. Being able to speak anonymously protects people with unpopular but lawful opinions, allowing them to be heard without fear of reprisal or harm. Privacy/proxy services protect whistleblowers who expose crimes, and they protect cybersecurity researchers, who too would most likely not want their home address scattered all over the Internet. Domain name registrants whose personal information is kept private significantly reduces the registrant’s risk of suffering from harassment, intimidation, and identity theft.
When privacy/proxy services came into effect, some among the anti-spam community argued that those who use such services would most likely be engaged in illegal activities. This, however, turned out to be conjecture. While a small percentage of registrants who use privacy/proxy services do engage in illegal activities, a 2013 study by Clayton and Mansfield (p.18) found that “When domain names are registered with the intent of conducting illegal or harmful Internet activities then a range of different methods are used to avoid providing viable contact information – with a consistent outcome no matter [whether or not a privacy/proxy service] is used.”
In other words, those who register domain names to carry out illegal activities do not provide accurate contact information whether they use a privacy/proxy service or not, so it does not stand to reason that the removal of personal information from the public WHOIS output will lead to an increase in illegal activities.
The GDPR is an evolution, not a revolution.
Gregory Mounier from Europol has been quoted as stating it will be difficult for security researchers to mitigate against botnets if there is no accreditation system in place when enforcement of the GDPR begins:
“If you don’t have an accreditation system by 25 May then there’s no means for cybersecurity folks to get access to this information …Let’s say you’re monitoring a botnet and have 10,000 domains connected to that and you want to find information about them in the WHOIS records, you won’t be able to do that anymore. It probably won’t be implemented before December 2018 or January 2019, and that may mean security gaps for many months.”
This statement is incorrect. The GDPR only applies to personal information like a registrant’s name, home address, and email address, and it does not impact other, more useful WHOIS data elements. Most botnet monitoring today occurs through machine learning and is often an automatic process. The data elements that automated processes use to mitigate against botnets will remain accessible. Moreover, Mounier’s example does not seem to be about the urgent mitigation of botnets, but about an ongoing investigation that entails monitoring and finding information about the perpetrators. That is firmly within the territory of law enforcement agencies, who will, through a system of tiered access, have immediate access to the WHOIS data of registrants. It does not follow that publishing personal data for everyone in the world to retrieve is the appropriate way to serve these legitimate purposes.
Rod Rasmussen, the chair of ICANN’s Security and Stability Advisory Committee, was quoted as saying:
“A lot of people who are using this data won’t be able to get access to it, and it’s not going to be pretty. Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in peoples’ inboxes will be climbing rapidly because a lot of anti-spam technologies rely on WHOIS for their algorithms.”
We disagree. Spam is not going to increase with the advent of the GDPR. Actually domain name registrants, whose emails are currently public, may soon receive less spam in their inboxes. WHOIS is not a sufficient proxy for identifying a spammer, and while it may be one tool in a spam fighter’s toolkit, there are other, better tools that can be used, like IP address blacklists, keywords, and machine learning that can protect our inboxes from unsolicited messages. All in all, it seems ‘WHOIS going dark’ in this context means that anti-spam businesses which have monetized the indiscriminate access to personal information of people in WHOIS, will not be able to monetize it for awhile. If the anti-spam community relies on the personal information of people in order to create its algorithms and tackle spam, then it should rethink its business model. After all, as the anti-spam community itself has said, WHOIS is only one tool to fight spam with!
It’s time to consider the privacy implications of our own activities and how they could impact trust in the shared, global Internet.
There is no question that the work undertaken by cybersecurity experts to mitigate the activities of malicious actors is vital for the security and stability of the Internet. However, like any complex and continually evolving challenge, there are multiple interests that must be balanced. The unfettered use by researchers of the personal information of domain name registrants is disproportionate and unjustifiable, because it does and has exposed these individuals to abuse.
We need to be more creative when it comes to fighting security challenges like botnets and spam. Using the personal data of domain name registrants, retrieved from WHOIS, is no longer the best approach. There are machine learning solutions to fight botnets, for instance, that do not depend on the personal information of a domain name registrant, because quite often these records are incomplete or inaccurate. If you have a need to contact a website administrator, you will still be able to do so come May 25, but if you need to identify someone, then your request will need to be examined for necessity and proportionality.
It concerns us greatly that the Internet can be used to perpetrate crime, and we fervently support bottom-up, agile multistakeholder approaches to policy making. While we recognize the important role of the private sector in combating cyber attacks through the use of the Domain Name System, the WHOIS in its present form does not comply with data protection law. Adherence to the law is key: stopping a phishing attack, important as that may be, simply does not justify breaking another law or violating the individual rights of innocent Internet registrants.
ICANN has had a long history of violating basic data protection norms. We have documented at least 15 letters to ICANN from Data Protection Authorities, the International Working Group on Data Protection in Telecommunications (‘Berlin Group’), and the European Data Protection Supervisor between 2000 and 2018. Indeed, it was the assessment of the Berlin Group back in 2000 that the WHOIS then was not fit for purpose. And it was the opinion of the Berlin Group in 2017 that, “It is questionable whether it is the role of ICANN, as a private corporation, to require its contracted parties to assemble data and provide it, without regard to human rights concerning fair legal procedure, to the global law enforcement community, and to private sector security companies.”
The privacy rights of domain name registrants have been ignored for far too long by ICANN. While proxy/privacy services provided some level of protection, they were marketed as a value-added service and had minimal consumer uptake. As our understandings of privacy have evolved, and the implications of modern technologies on our society have become more apparent, people around the world have expressed concerns over how their personal data is used, and what control they have over it, in our new, data-powered world. It is up to all of us who care deeply about the future of the Internet to consider how we can respect the fundamental right to privacy, something bestowed upon all of us, while carrying out our own missions. This is not just about adhering to the GDPR or other privacy and data protection laws; this is about recognizing that information that can identify people is personal data. If we are to meet the challenges of globalization, use data to deliver new products and services, and keep the Internet a trusted place for everyone everywhere, we all need to think carefully about how we can respect the privacy rights of Internet users.
“A fundamental principle of data protection law is that the processing of personal data should be limited to that which is necessary for a defined purpose.”
This is where I have a fundamental question about GDPR. Have I know lost the freedom to publish information about myself voluntarily? I don’t want my public personal data limited to that which is defined by the purpose. I want to add _more_ than that. So am I PREVENTED from putting my actual email address in WHOIS?
You can publish any information about yourself you like. the whole point of data protection laws is to give you that choice, so it limits what other people do with your data, not what you do with it.
A couple of non-security researcher, non-infosec people making claims about what kind of data is required for security operations. Have you ever conducted a fraud investigation, or dealt with an intrusion, or maintained a mail server? You clearly haven’t. You make confident claims about a line of work you know nothing about.
Georgia Tech do you let any charlatan write blog posts?
John Chris: FYI, we do a lot of cybersecurity research here. Check our research section. And by the way, who are you? I suspect you are a fraud. Please publish your full name, home address and email in your comment. Otherwise we will delete your comment.
Comments disagreeing with you are fraudulent? Demanding home address on penalty of censorship? This is rich!
The article contradicts several people who are accomplished experts in their field and fails to provide proof as to why these experts are wrong about their own line of work. Can the authors please share the magical anti spam tools that will discover all related domains without any of the requisite information to do so? The rest of us would love a copy of that software.
The authors of this article are stepping far outside their area of expertise and should stop making claims about areas of work they aren’t involved with. “Most botnet monitoring today occurs through machine learning and is often an automatic process. ” is one statement that proves lack of relevant work experience. Machine learning is one part, helpful but absolutely not sufficient to do what you claim, and is an overblown marketing buzzword. Anyone in this field would know that. Numerous malware reports include WHOIS as a pivotal aspect. I won’t go into the other ignorant statements. This policy report is too full of them.
This is indeed rich. You’re using a fake name and you demand that every person in the world who registers a domain name must be compelled to provide detailed personally identifiable information to anyone in the world who requests it. You refuse to provide additional information authenticating your claim to be an “expert” in investigations. You are a hypocrite, sir.
And your critique of the article is full of holes. Which data elements in Whois form an essential part of malware reports and would they be lost, or just a bit harder to get post-GDPR? Can you even answer that question? Why does an email address need to be publicly displayed to any spammer in the world? What is wrong with access to the sensitive data being limited to bona fide law enforcement agencies? Until and unless you engage with those questions you are just playing a game of distortion and scare tactics. Doing so under cover makes your tactics even more dishonest.
I thought you had such a respect for privacy that you would be capable of engaging with the content of my message without feeling the need to ascertain exactly who I am and where I live. And I am not even phishing anyone, I am merely committing the sin of dissent!
You should be celebrating the fact that I can challenge your arguments and you have no way to affect my life outside of this webform. I am also not making the statements you claim I am making, not demanding that registrants broadcast anything. I am simply saying that the authors are out of their league, and they don’t know how the Internet works. No need for the straw man.
My identity isn’t nearly as important as the identities of the people referenced in this article. They aren’t random people off the street. They are highly respected, highly accomplished people/organizations in their field.
Brian Krebs has listed extensive and detailed evidence for conclusions that could not have been made without info from the registrant. You make broad claims about what is not required, yet you fail to engage with any particular examples or show any actual proof. Until you can walk us through an investigation and show us these different methods, your arguments are unconvincing. Krebs presented a mountain of evidence and you present nothing.
Additionally, Europol might know a little bit more about botnet tracking than your group does. If you’re going to say “This statement is incorrect.” about their statement on how botnet tracking works, maybe your readers deserve to know why this highly credible organization is wrong and you are right.
Rod Rasmussen- a person who builds anti-spam tools and has founded successful companies to combat spam- might already know that “WHOIS is only one tool to fight spam with”, and might already be using all those to their maximum potential, don’t you think?
Why does this article try to lecture about how these experts at the top of their field must have overlooked something that can be found in a single Google search? And then fails to provide evidence?
I don’t think spammers should have access to more e-mail addresses, but if you knew anything about how e-mail harvesting works, you would understand that starving the beast doesn’t work, and WHOIS e-mail is one tiny portion of global spam. I am fine with a gated solution. I am not fine with charlatans making claims about industries they have no experience in. I am also not fine with straw man arguments, which you seem to make frequently. You should consider a job at Fox news after you fail out of policy school.
I only ask that you provide evidence of what the rest of us must be missing. We would all love to operationalize this knowledge, and then we will stop complaining. If you can’t provide proof, maybe you should rethink your approach, because this article is being shared in multiple security communities and is being laughed at.
Proof or GTFO.