Policy and Advocacy
What’s at Stake
On May 25, 2018, the European Union’s General Data Protection went into effect. Though GDPR is rightly intended to only apply to “natural person” citizens of EU countries, the Internet Corporation for Assigned Names and Numbers (ICANN) has issued a broad and unnecessary interim guidance on the regulation. This guidance has led domain name registrars and registries worldwide, the companies that initially collect and therefore control the WHOIS data, to restrict access to major elements of the WHOIS record.
This means that registrars and registries not just in the EU, but everywhere in the world, believe they have the flexibility to block or reduce access to WHOIS records. This isn’t just an inconvenience; it undermines the integrity of the Internet and creates a significant risk to public safety. Blocking public access to full WHOIS directories will render the removal of illegal or malicious content and communications much more difficult, cumbersome, slow and inefficient.
The effects of this decision are already being felt. In March 2018, internet domain registrar GoDaddy began restricting access to some WHOIS data. As the largest registrar in the world, this sets a dangerous precedent that will surely be followed by competitors around the globe.
To maintain internet security and transparency, CSTI believes U.S. federal legislation is needed to require registries and registrars to provide open access to WHOIS records that are accurate, non-anonymous and accessible in bulk (Port 43-based queries).
Letters to U.S. House of Representatives Energy and Commerce Committee, Subcommittee on Communications and Technology
What Experts Are Saying
Government, industry, and academic experts from all varieties of organizations have spoken out against the danger of losing open-access to WHOIS data:
“It’s a basic tenet of consumer protection: consumers are better protected when there is transparency as to the seller’s identity and location, which creates a deterrent to ripping one’s customers off. Think about it this way: in the non-virtual world, businesses aren’t allowed to hide their identities. Why should the virtual world be any different? That’s why WHOIS is so important.”John Horton
“The Internet is an open network, fundamentally operating on trust. Whether the transaction you seek is commercial or informational, as an internet user you have a right to know who operates the website, e-commerce storefront, or email address on the other end of your connection. In the same way, security solutions will apply domain name ownership data at scale to help make trust/distrust decisions at internet scale to help inform your email spam filters and web browsing URL blocklists.”Tim Chen
“WHOIS is probably the single most useful tool we have right now for tracking down cybercrooks and/or for disrupting their operations.”Brian Krebs
“EU’s GDPR is going to undercut a key tool for identifying malicious domains on the internet. WHOIS database will be noncompliant, or have to purge the data that makes it useful to find bad actors… Cyber Criminals are celebrating GDPR”Rob Joyce
“ICANN’s WHOIS database plays an indispensable role in ensuring good governance, accountability, and transparency for the Internet. Legitimate public access to that database is crucial to the effective identification, prioritization, and allocation of resources to the policing of malicious and unlawful activity on the Internet and is fundamental to ICANN’s core mission. Given these realities, the Proposed Interim Model selected for GDPR-compliance of the WHOIS registry poses existential challenges to the ICANN mission. Our members are deeply concerned about the public health and safety, cybersecurity and consumer protection threats associated with this erosion.”Sean Heather
“Conducting online investigations is not easy, and FDA has a narrow, but important role in combatting the online sale of opioids. For good or bad, much of the Internet ecosystem, including dark nets, have adapted and changed to build in anonymity. Public information about the owner of a domain name, known as ‘whois’ data, is now often impossible to access with the implementation of the European General Data Protection Regulation (GDPR)…”Daniel Burke
“The actions taken by GoDaddy last month to throttle Port 43 access and to mask the information in certain WHOIS fields are of grave concern for NTIA given the U.S. Government’s interest in maintaining a WHOIS service that is quickly accessible for legitimate purposes.”David Redl
“Access to WHOIS for the security community is essential in the fight against cybercrime. A prolonged interruption will only profit criminals, and negatively affect privacy of internet users.”Thomas Schreck
“A lot of people who are using [WHOIS] data won’t be able to get access to it, and it’s not going to be pretty. Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in peoples’ inboxes will be climbing rapidly because a lot of anti-spam technologies rely on WHOIS for their algorithms.”Rod Rasmussen
“We strongly believe that if WHOIS is fragmented, it will have a detrimental impact on the entire Internet. A key function of WHOIS allows those participating in the domain name system and in other aspects of work on the Internet to know who else is working within that system. Those working on the Internet require the information contained within WHOIS to be able to communicate with others working within that system.”Göran Marby
“We strongly believe that if WHOIS is fragmented, it will have a detrimental impact on the entire Internet. A key function of WHOIS allows those participating in the domain name system and in other aspects of work on the Internet to know who else is working within that system. Those working on the Internet require the information contained within WHOIS to be able to communicate with others working within that system.”Akram Atallah
“Different providers having different solutions would actually make the work of law enforcement, security researchers and the like much more difficult … It might also be taken advantage of by some of the bad actors on the internet.”Angela Gunn
“New registrants won’t be anonymous to law enforcement agencies but the transition period will hamper individual investigators until ICANN can provide access for accredited persons to the satisfaction of GDPR. This situation is a shining example of why GDPR cannot be ignored.”Brian Chappell
“Ironically, some of the biggest losers in this scenario are EU residents who want to contact website owners to request that their personal data be corrected or deleted. Without access to WHOIS information, these individuals will have to hope that website owners provide accurate contact information (and actually respond to requests) on their websites.”Amy Grant
“So I was asked to come to give a cybersecurity perspective, and cybersecurity is one of the reasons that Microsoft uses WHOIS data. We work to disrupt some of the most difficult cybercrime issues facing society today. To give you an example of the scale of that, over the last six years, our Microsoft digital crimes unit has drawn on WHOIS data to disrupt malware associated with approximately 397 [million] distinct I.P. addresses.
“So if we’re asking what should an ultimate compliance model look like, I wanted to give a few examples of how we use WHOIS data and how that’s undermined by the temp spec as it currently stands.
“The first example I wanted to give relates to a link between cybersecurity and trademark enforcement. Attackers often create companies — create domain names that are similar to major brands, and these domains are then used by hackers to communicate with malware on targeted computers. And so by looking up WHOIS data, companies can sue for trademark infringement and take over the offensive domains, and then they can observe and strategically disrupt hacking operations. And that’s exactly what Microsoft did last year when we won a case against Fancy Bear. You might have heard of Fancy Bear. It is a — thought to be a state-sponsored cyber espionage group responsible for attacks European and political institutions. And so we’ve used tools like reverse WHOIS where we can identify some malicious domains by Fancy Bear and then we can go and find out other domains that they are using. And tools like reverse WHOIS and the ability to look at current and historical WHOIS data on an aggregated basis are under threat under the temp spec, and that undermines our efforts.”Ben Wallis
“In 2014, the team currently working at CINTOC was working on the case of Dawie Groenewald, one of the most notorious rhino horn traffickers in South Africa. Groenewald ran a professional hunting company that marketed to US hunters. Unbeknownst to the U.S. hunters, they were shooting rhinos and elephants illegally, and Groenewald smuggled the horns and tusks of the dead animals to Asia. Groenewald originally ran a U.S. hunting safari firm called Out of Africa Adventure Safaris, which lost its license to operate when Groenewald’s illegal activties were discovered. When we were working on the case, we noticed that another company Wild Africa Hunting Safaris featured the same photos on its website as Out of Africa. By using WHOIS information, we were able to confirm that the same individual registered Wild Africa Hunting Safaris as Out of Africa Adventure Safaris, and that the phone number listed linked back to Groenewald. WHOIS provided the tangible proof that the notorious safari company had renamed itself and continued business as usual, directly contributing to the extinction of the rhino.”Kathleen Miles
“From our analysis of over 300 survey responses, we find that the changes to WHOIS access following ICANN’s implementation of the EU GDPR, the Temporary Specification for gTLD Registration Data1 (‘Temp Spec’, adopted in May 2018), is significantly impeding cyber applications and forensic investigations and allowing more harm to victims. The policy has introduced delays to investigations and the reduced utility of public WHOIS data is a dire problem. Delays favor the attacker and criminal, who can claim victims or profit over longer windows of opportunity while investigators struggle to identify perpetrators or strip them of their assets (i.e., domain names) with limited or no access to the data that had previously been obtained or derived from WHOIS data. The loss of timely and repeatable access to complete WHOIS data is impeding investigations of all kinds, from cybercrime activities such as phishing and ransomware, to the distribution of fake news and subversive political influence campaigns.”David Piscitello