News & Updates
Cybersecurity stakeholders are pushing U.S. lawmakers to rescue WHOIS, a tool for identifying internet domain ownership that’s been hamstrung by the European Union’s privacy regulations.
Why it matters: WHOIS has been a public address book for domain owners since the earliest days of the internet. A bevy of online investigators — from law enforcement authorities to human rights groups to cybersecurity researchers — have long relied on its data. But the EU’s General Data Protection Regulation (GDPR) deems the information in WHOIS to be too personal to share without a thorough consent agreement.
CSTI to Host 2/7/19 Briefing: “How the Loss of Open, Accessible WHOIS Data is Turning the Open Web Into the Dark Web”
Since the dawn of the internet, law enforcement and security experts have relied on open, accessible bulk WHOIS data to protect networks, fight crime, and investigate online abuse. Companies and consumers also use on WHOIS data, directly and derivatively, to determine from whom they are buying goods or services. WHOIS data is the contact and technical information that registrants provide when setting up a domain name, much like the white pages of the internet.
“Conducting online investigations is not easy, and FDA has a narrow, but important role in combating the online sale of opioids. For good or bad, much of the Internet ecosystem, including dark nets, have adapted and changed to build in anonymity. Public information about the owner of a domain name, known as “whois” data, is now often impossible to access with the implementation of the European General Data Protection Regulation (GDPR)…”
– Daniel Burke, Senior Operations Manager, Cybercrime Investigations Unit of the U.S. Food & Drug Administration
“The real answer is that it is far too early to tell. Various articles currently state that ‘nothing has happened’ as a result of GDPR or ‘spam has fallen slightly’; however, the true effects of GDPR providing anonymity to domain owners will take a long time to play out. The main crux of the matter isn’t the effect GDPR is having on spam levels, but how it’s hampering organizations from effectively stopping career cybercriminals from defrauding innocent people.”
“2018 has been a tough year to be a domain name Whois record. For years Whois has been a favorite and uniquely effective tool of security researchers and law enforcement to battle cybercrime and cyberattacks, yet now that data will be kept under wraps to be metered out, if at all, under the watchful eye of domain name registrars whose strongest orientation in this matter is to their own legal certainty and the privacy of their customers. The situation DNS finds itself in is the unfortunate result of today’s privacy-centric global policy regimes.”
“The problems are severe. Anonymity fueled online pharmacies have become “notorious for selling unapproved, substandard, counterfeit and falsified medicine.” Recent reports show that more than half of online pharmacies offer controlled substances, with 40 percent of them offering one or more of the drugs frequently adulterated with fentanyl.”
“Several leading internet security and consumer safety organizations are joining forces to launch a new group called the Coalition for a Secure and Transparent Internet (CSTI). The group’s objective is to preserve a critical tool that protects internet users and consumers: WHOIS data, which functions as a sort of phone book for the internet. By permitting lookup of who has registered a domain name, WHOIS helps protect consumers from fraud, children from predators, and email users from spam and phishing.”