Policy and Advocacy

What’s at Stake

On May 25, 2018, the European Union’s General Data Protection went into effect. Though GDPR is rightly intended to only apply to “natural person” citizens of EU countries, the Internet Corporation for Assigned Names and Numbers (ICANN) has issued a broad and unnecessary interim guidance on the regulation. This guidance has led domain name registrars and registries worldwide, the companies that initially collect and therefore control the WHOIS data, to restrict access to major elements of the WHOIS record.

This means that registrars and registries not just in the EU, but everywhere in the world, believe they have the flexibility to block or reduce access to WHOIS records. This isn’t just an inconvenience; it undermines the integrity of the Internet and creates a significant risk to public safety. Blocking public access to full WHOIS directories will render the removal of illegal or malicious content and communications much more difficult, cumbersome, slow and inefficient.

The effects of this decision are already being felt. In March 2018, internet domain registrar GoDaddy began restricting access to some WHOIS data. As the largest registrar in the world, this sets a dangerous precedent that will surely be followed by competitors around the globe.

CSTI Views:

To maintain internet security and transparency, CSTI believes U.S. federal legislation is needed to require registries and registrars to provide open access to WHOIS records that are accurate, non-anonymous and accessible in bulk (Port 43-based queries).

Letters to U.S. Congress and Federal Agencies:

What Experts Are Saying

Government, industry, and academic experts from all varieties of organizations have spoken out against the danger of losing open-access to WHOIS data:

“It’s a basic tenet of consumer protection: consumers are better protected when there is transparency as to the seller’s identity and location, which creates a deterrent to ripping one’s customers off. Think about it this way: in the non-virtual world, businesses aren’t allowed to hide their identities. Why should the virtual world be any different? That’s why WHOIS is so important.”

John Horton

CEO, LegitScript

“The Internet is an open network, fundamentally operating on trust.  Whether the transaction you seek is commercial or informational, as an internet user you have a right to know who operates the website, e-commerce storefront, or email address on the other end of your connection.  In the same way, security solutions will apply domain name ownership data at scale to help make trust/distrust decisions at internet scale to help inform your email spam filters and web browsing URL blocklists.”

Tim Chen

CEO, DomainTools

“WHOIS is probably the single most useful tool we have right now for tracking down cybercrooks and/or for disrupting their operations.”

Brian Krebs

Expert, KrebsOnSecurity

“EU’s GDPR is going to undercut a key tool for identifying malicious domains on the internet. WHOIS database will be noncompliant, or have to purge the data that makes it useful to find bad actors… Cyber Criminals are celebrating GDPR”

Rob Joyce

Special Assistant to the President and Cybersecurity Coordinator, NSC

“ICANN’s WHOIS database plays an indispensable role in ensuring good governance, accountability, and transparency for the Internet. Legitimate public access to that database is crucial to the effective identification, prioritization, and allocation of resources to the policing of malicious and unlawful activity on the Internet and is fundamental to ICANN’s core mission. Given these realities, the Proposed Interim Model selected for GDPR-compliance of the WHOIS registry poses existential challenges to the ICANN mission. Our members are deeply concerned about the public health and safety, cybersecurity and consumer protection threats associated with this erosion.”

Sean Heather

Vice President, Center for Global Regulatory Cooperation US Chamber of Commerce

“Conducting online investigations is not easy, and FDA has a narrow, but important role in combatting the online sale of opioids. For good or bad, much of the Internet ecosystem, including dark nets, have adapted and changed to build in anonymity. Public information about the owner of a domain name, known as ‘whois’ data, is now often impossible to access with the implementation of the European General Data Protection Regulation (GDPR)…”

Daniel Burke

Senior Operations Manager, Cybercrime Investigations Unit of the U.S. Food & Drug Administration

“The actions taken by GoDaddy last month to throttle Port 43 access and to mask the information in certain WHOIS fields are of grave concern for NTIA given the U.S. Government’s interest in maintaining a WHOIS service that is quickly accessible for legitimate purposes.”

David Redl

Administrator, NTIA

“Access to WHOIS for the security community is essential in the fight against cybercrime. A prolonged interruption will only profit criminals, and negatively affect privacy of internet users.”

Thomas Schreck

Chair, Forum of Incident Response and Security Teams (FIRST)

“A lot of people who are using [WHOIS] data won’t be able to get access to it, and it’s not going to be pretty. Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in peoples’ inboxes will be climbing rapidly because a lot of anti-spam technologies rely on WHOIS for their algorithms.”

Rod Rasmussen

Chair, ICANN Security and Stability Advisory Committee

“We strongly believe that if WHOIS is fragmented, it will have a detrimental impact on the entire Internet. A key function of WHOIS allows those participating in the domain name system and in other aspects of work on the Internet to know who else is working within that system. Those working on the Internet require the information contained within WHOIS to be able to communicate with others working within that system.”

Göran Marby

President and CEO, ICANN

“We strongly believe that if WHOIS is fragmented, it will have a detrimental impact on the entire Internet. A key function of WHOIS allows those participating in the domain name system and in other aspects of work on the Internet to know who else is working within that system. Those working on the Internet require the information contained within WHOIS to be able to communicate with others working within that system.”

Akram Atallah

President, ICANN Global Domains Division

“Different providers having different solutions would actually make the work of law enforcement, security researchers and the like much more difficult … It might also be taken advantage of by some of the bad actors on the internet.”

Angela Gunn

Incident Response Consultant, BAE Systems Applied Intelligence

“New registrants won’t be anonymous to law enforcement agencies but the transition period will hamper individual investigators until ICANN can provide access for accredited persons to the satisfaction of GDPR. This situation is a shining example of why GDPR cannot be ignored.”

Brian Chappell

Senior Director, Enterprise & Solution Architecture, Beyond Trust

“Ironically, some of the biggest losers in this scenario are EU residents who want to contact website owners to request that their personal data be corrected or deleted. Without access to WHOIS information, these individuals will have to hope that website owners provide accurate contact information (and actually respond to requests) on their websites.”

Amy Grant

Senior Corporate Counsel, Tripwire

“So I was asked to come to give a cybersecurity perspective, and cybersecurity is one of the reasons that Microsoft uses WHOIS data. We work to disrupt some of the most difficult cybercrime issues facing society today. To give you an example of the scale of that, over the last six years, our Microsoft digital crimes unit has drawn on WHOIS data to disrupt malware associated with approximately 397 [million] distinct I.P. addresses.

“So if we’re asking what should an ultimate compliance model look like, I wanted to give a few examples of how we use WHOIS data and how that’s undermined by the temp spec as it currently stands. 

“The first example I wanted to give relates to a link between cybersecurity and trademark enforcement. Attackers often create companies — create domain names that are similar to major brands, and these domains are then used by hackers to communicate with malware on targeted computers. And so by looking up WHOIS data, companies can sue for trademark infringement and take over the offensive domains, and then they can observe and strategically disrupt hacking operations. And that’s exactly what Microsoft did last year when we won a case against Fancy Bear. You might have heard of Fancy Bear. It is a — thought to be a state-sponsored cyber espionage group responsible for attacks European and political institutions. And so we’ve used tools like reverse WHOIS where we can identify some malicious domains by Fancy Bear and then we can go and find out other domains that they are using. And tools like reverse WHOIS and the ability to look at current and historical WHOIS data on an aggregated basis are under threat under the temp spec, and that undermines our efforts.”

Ben Wallis

Regulatory Policy Analyst, Microsoft

“In 2014, the team currently working at CINTOC was working on the case of Dawie Groenewald, one of the most notorious rhino horn traffickers in South Africa. Groenewald ran a professional hunting company that marketed to US hunters. Unbeknownst to the U.S. hunters, they were shooting rhinos and elephants illegally, and Groenewald smuggled the horns and tusks of the dead animals to Asia. Groenewald originally ran a U.S. hunting safari firm called Out of Africa Adventure Safaris, which lost its license to operate when Groenewald’s illegal activties were discovered. When we were working on the case, we noticed that another company Wild Africa Hunting Safaris featured the same photos on its website as Out of Africa. By using WHOIS information, we were able to confirm that the same individual registered Wild Africa Hunting Safaris as Out of Africa Adventure Safaris, and that the phone number listed linked back to Groenewald.  WHOIS provided the tangible proof that the notorious safari company had renamed itself and continued business as usual, directly contributing to the extinction of the rhino.”

Kathleen Miles

The Center on Illicit Networks and Transnational Organized Crime (CINTOC)

“From our analysis of over 300 survey responses, we find that the changes to WHOIS access following ICANN’s implementation of the EU GDPR, the Temporary Specification for gTLD Registration Data1 (‘Temp Spec’, adopted in May 2018), is significantly impeding cyber applications and forensic investigations and allowing more harm to victims. The policy has introduced delays to investigations and the reduced utility of public WHOIS data is a dire problem. Delays favor the attacker and criminal, who can claim victims or profit over longer windows of opportunity while investigators struggle to identify perpetrators or strip them of their assets (i.e., domain names) with limited or no access to the data that had previously been obtained or derived from WHOIS data. The loss of timely and repeatable access to complete WHOIS data is impeding investigations of all kinds, from cybercrime activities such as phishing and ransomware, to the distribution of fake news and subversive political influence campaigns.”

David Piscitello

InterIsle Consulting Group / Anti-Phishing Working Group