“Martha: Truth or illusion, George; you don’t know the difference.

George: No, but we must carry on as though we did.

Martha: Amen.”

Edward Albee, Who’s Afraid of Virginia Woolf?

 

Since February, the prominent security reporter Brian Krebs has been writing on his widely-read blog, Krebs on Security, that publicly-accessible WHOIS records are essential to tackling cybercrime. His analysis, coupled with his reputation in the field, has seen campaigns like #WeNeedWHOIS launched to prevent WHOIS from “going dark” because of the privacy protections in Europe’s General Data Protection Regulation. There’s just one problem: WHOIS isn’t going dark; the only fields that are going to be cloaked are those that cybersecurity researchers and investigators might not even need in order to do their jobs. Those who need additional information, such as law enforcement agencies involved in a legitimate investigation, will be able to get more.

In this post, we will explore the small changes coming to the WHOIS, and we will reveal how little an impact they are likely to have when you fight spam, botnets, and DDoS attacks. It is true that some users of WHOIS, such as trademark attorneys, may need to re-think the methods they use to contact registrants, but cybersecurity research will still be able to take place provided you do not access the personal information of domain name registrants.

WHOIS won’t go dark, and it won’t go away.

We would like to begin by debunking the myth that with enforcement of the European Union’s General Data Protection Regulation (GDPR) coming into effect, WHOIS will go dark. All of the data fields which exist today will continue to exist in WHOIS, with all the same data continuing to be collected. However, a very small number of fields will no longer be publicly displayed. Fields which contain the personal information of domain name registrants, such as their home address or phone number, will have to be removed from public view. The majority of fields, and all which are critical to the operation of the Domain Name System, like nameservers and expiration dates, will remain public.

Security researchers who do not rely on personal and sensitive information in order to carry out their work will not be impacted in any way by the GDPR. Security researchers will still have access to the zone file, as it does not contain any personal information. If there is a need for a searchable WHOIS system, which includes proportionate access to personal information, then there will need to be some kind of accreditation mechanism developed to enable those parties with a legitimate need to retrieve these records to do so. This mechanism is not in place yet in an automated fashion, however its absence does not mean WHOIS is going dark.

A fundamental principle of data protection law is that the processing of personal data should be limited to that which is necessary for a defined purpose. Security researchers do not need to be able to identify a domain name registrant, which is the case today where the WHOIS is a public directory of personal information. What most security researchers need is to be able to contact a domain name registrant in case of a technical issue, and this will continue to be the case. One key change is that you will no longer be able to see a registrant’s email address. Under the GDPR, email addresses are considered personal information and must therefore be stored and processed according to strict privacy and security guidelines. As the GDPR was adopted to harmonize the power balance between data controllers, data processors, and data subjects, it would be an unfair burden on the registrant to expect them to use an email address in their registration that could not identify them.

If you need to get in touch with a website’s administrator, you will be able to do so in what is a less intrusive manner of achieving this purpose: by using an anonymized email address, or webform, to reach them (The exact implementation will depend on the registry). If this change is inadequate for your “private detective” activities and you require full WHOIS records, including the personal information, then you will need to declare to a domain name registry your specific need for and use of this personal information. Nominet, for instance, has said that interested parties may “request the full WHOIS record (including historical data) for a specific domain and get a response within one business day for no charge.”

Security researchers and businesses that harvest personal information from the WHOIS today on an industrial scale may need to refine and remodel their research methods and their business models. As we have seen in other fields like clinical care, research can be effectively undertaken with anonymized data to identify patterns.

Privacy/proxy services didn’t break the Internet.

For several years now, some of the WHOIS records have already been cloaked by privacy/proxy services, and the Internet as we know it has not come to an end. While a registrant’s personal information is not available for everyone to see, if you have a legitimate need for a registrant’s home address or phone number, you can contact the privacy/proxy service to request the information. If you have a legitimate need for it, your request will likely be granted, and if they do not cooperate, you could even apply for a court order to require the registrant’s privacy service to disclose this information.

People register domain names because they want to speak, to share knowledge, to uncover corruption. Being able to speak anonymously protects people with unpopular but lawful opinions, allowing them to be heard without fear of reprisal or harm. Privacy/proxy services protect whistleblowers who expose crimes, and they protect cybersecurity researchers, who too would most likely not want their home address scattered all over the Internet. Domain name registrants whose personal information is kept private significantly reduces the registrant’s risk of suffering from harassment, intimidation, and identity theft.

When privacy/proxy services came into effect, some among the anti-spam community argued that those who use such services would most likely be engaged in illegal activities. This, however, turned out to be conjecture. While a small percentage of registrants who use privacy/proxy services do engage in illegal activities, a 2013 study by Clayton and Mansfield (p.18) found that “When domain names are registered with the intent of conducting illegal or harmful Internet activities then a range of different methods are used to avoid providing viable contact information – with a consistent outcome no matter [whether or not a privacy/proxy service] is used.”

In other words, those who register domain names to carry out illegal activities do not provide accurate contact information whether they use a privacy/proxy service or not, so it does not stand to reason that the removal of personal information from the public WHOIS output will lead to an increase in illegal activities.

The GDPR is an evolution, not a revolution.

Gregory Mounier from Europol has been quoted as stating it will be difficult for security researchers to mitigate against botnets if there is no accreditation system in place when enforcement of the GDPR begins:

“If you don’t have an accreditation system by 25 May then there’s no means for cybersecurity folks to get access to this information …Let’s say you’re monitoring a botnet and have 10,000 domains connected to that and you want to find information about them in the WHOIS records, you won’t be able to do that anymore. It probably won’t be implemented before December 2018 or January 2019, and that may mean security gaps for many months.”

This statement is incorrect. The GDPR only applies to personal information like a registrant’s name, home address, and email address, and it does not impact other, more useful WHOIS data elements. Most botnet monitoring today occurs through machine learning and is often an automatic process. The data elements that automated processes use to mitigate against botnets will remain accessible. Moreover, Mounier’s example does not seem to be about the urgent mitigation of botnets, but about an ongoing investigation that entails monitoring and finding information about the perpetrators. That is firmly within the territory of law enforcement agencies, who will, through a system of tiered access, have immediate access to the WHOIS data of registrants. It does not follow that publishing personal data for everyone in the world to retrieve is the appropriate way to serve these legitimate purposes.

Rod Rasmussen, the chair of ICANN’s Security and Stability Advisory Committee, was quoted as saying:

“A lot of people who are using this data won’t be able to get access to it, and it’s not going to be pretty. Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in peoples’ inboxes will be climbing rapidly because a lot of anti-spam technologies rely on WHOIS for their algorithms.”

We disagree. Spam is not going to increase with the advent of the GDPR. Actually domain name registrants, whose emails are currently public, may soon receive less spam in their inboxes. WHOIS is not a sufficient proxy for identifying a spammer, and while it may be one tool in a spam fighter’s toolkit, there are other, better tools that can be used, like IP address blacklists, keywords, and machine learning that can protect our inboxes from unsolicited messages. All in all, it seems ‘WHOIS going dark’ in this context means that anti-spam businesses which have monetized the indiscriminate access to personal information of people in WHOIS, will not be able to monetize it for awhile. If the anti-spam community relies on the personal information of people in order to create its algorithms and tackle spam, then it should rethink its business model. After all, as the anti-spam community itself has said, WHOIS is only one tool to fight spam with!

It’s time to consider the privacy implications of our own activities and how they could impact trust in the shared, global Internet.

There is no question that the work undertaken by cybersecurity experts to mitigate the activities of malicious actors is vital for the security and stability of the Internet. However, like any complex and continually evolving challenge, there are multiple interests that must be balanced. The unfettered use by researchers of the personal information of domain name registrants is disproportionate and unjustifiable, because it does and has exposed these individuals to abuse.

We need to be more creative when it comes to fighting security challenges like botnets and spam. Using the personal data of domain name registrants, retrieved from WHOIS, is no longer the best approach. There are machine learning solutions to fight botnets, for instance, that do not depend on the personal information of a domain name registrant, because quite often these records are incomplete or inaccurate. If you have a need to contact a website administrator, you will still be able to do so come May 25, but if you need to identify someone, then your request will need to be examined for necessity and proportionality.

It concerns us greatly that the Internet can be used to perpetrate crime, and we fervently support bottom-up, agile multistakeholder approaches to policy making. While we recognize the important role of the private sector in combating cyber attacks through the use of the Domain Name System, the WHOIS in its present form does not comply with data protection law. Adherence to the law is key: stopping a phishing attack, important as that may be, simply does not justify breaking another law or violating the individual rights of innocent Internet registrants.

ICANN has had a long history of violating basic data protection norms. We have documented at least 15 letters to ICANN from Data Protection Authorities, the International Working Group on Data Protection in Telecommunications (‘Berlin Group’), and the European Data Protection Supervisor between 2000 and 2018. Indeed, it was the assessment of the Berlin Group back in 2000 that the WHOIS then was not fit for purpose. And it was the opinion of the Berlin Group in 2017 that, “It is questionable whether it is the role of ICANN, as a private corporation, to require its contracted parties to assemble data and provide it, without regard to human rights concerning fair legal procedure, to the global law enforcement community, and to private sector security companies.”

The privacy rights of domain name registrants have been ignored for far too long by ICANN. While proxy/privacy services provided some level of protection, they were marketed as a value-added service and had minimal consumer uptake. As our understandings of privacy have evolved, and the implications of modern technologies on our society have become more apparent, people around the world have expressed concerns over how their personal data is used, and what control they have over it, in our new, data-powered world. It is up to all of us who care deeply about the future of the Internet to consider how we can respect the fundamental right to privacy, something bestowed upon all of us, while carrying out our own missions. This is not just about adhering to the GDPR or other privacy and data protection laws; this is about recognizing that information that can identify people is personal data. If we are to meet the challenges of globalization, use data to deliver new products and services, and keep the Internet a trusted place for everyone everywhere, we all need to think carefully about how we can respect the privacy rights of Internet users.

 

49 thoughts on “WHOIS afraid of the dark? Truth or illusion, let’s know the difference when it comes to WHOIS

  1. “A fundamental principle of data protection law is that the processing of personal data should be limited to that which is necessary for a defined purpose.”

    This is where I have a fundamental question about GDPR. Have I know lost the freedom to publish information about myself voluntarily? I don’t want my public personal data limited to that which is defined by the purpose. I want to add _more_ than that. So am I PREVENTED from putting my actual email address in WHOIS?

    1. You can publish any information about yourself you like. the whole point of data protection laws is to give you that choice, so it limits what other people do with your data, not what you do with it.

  2. John Chris: FYI, we do a lot of cybersecurity research here. Check our research section. And by the way, who are you? I suspect you are a fraud. Please publish your full name, home address and email in your comment. Otherwise we will delete your comment.

    1. This is indeed rich. You’re using a fake name and you demand that every person in the world who registers a domain name must be compelled to provide detailed personally identifiable information to anyone in the world who requests it. You refuse to provide additional information authenticating your claim to be an “expert” in investigations. You are a hypocrite, sir.
      And your critique of the article is full of holes. Which data elements in Whois form an essential part of malware reports and would they be lost, or just a bit harder to get post-GDPR? Can you even answer that question? Why does an email address need to be publicly displayed to any spammer in the world? What is wrong with access to the sensitive data being limited to bona fide law enforcement agencies? Until and unless you engage with those questions you are just playing a game of distortion and scare tactics. Doing so under cover makes your tactics even more dishonest.

  3. “What most security researchers need is to be able to contact a domain name registrant in case of a technical issue, and this will continue to be the case.”

    What kind of security research are you talking about? Please back this up.

    “If this change is inadequate for your “private detective” activities and you require full WHOIS records, including the personal information, then you will need to declare to a domain name registry your specific need for and use of this personal information.”

    They can hardly be bothered to respond to abuse complaints most of the time, you think they’re going to have a mature process for this?

    “As we have seen in other fields like clinical care, research can be effectively undertaken with anonymized data to identify patterns.”

    If you’re not exposing any data of note, you’re effectively nuking the whole dataset. With medical data there are many fields collected about care, schedules and outcomes that can be used to fuel research.

    I’m done reading this – you know nothing.

  4. The comments using a fake name and a fake email address have been deleted. We delete spammers’ comments, whether they are advertising spam sites or trolling. It was tempting to leave it up as a reminder of the double-standard that is so rampant among advocates of no privacy in Whois, but better to have a serious dialogue

    1. That’s pretty rich, Milton. Your blog post spends a lot of time talking about how people have the right to anonymous speech (i.e., “Being able to speak anonymously protects people with unpopular but lawful opinions, allowing them to be heard without fear of reprisal or harm”), and then you got and delete comments from someone who disagrees with your point of view based on the nit that they appeared to use a pseudonym?

      If you want to see what tolerance looks like, take a gander at my site krebsonsecurity.com. The vast majority of the comments there are extremely well-informed and on-topic, and yet I almost never remove comments unless they threaten people or are so inane or spammy that they don’t belong.

      Doesn’t seem to me that you are doing your audience any favors by censoring opposing viewpoints.

    2. Censorship against people who disagree with you and engage into a “heated” but argumentative discussion is not the definition of “a serious dialogue”. Quite the opposite actually.

    3. To Laurent, Tom, “Why do you want it,” and “Mike”:
      1. If you monitor our site you will find plenty of comments which disagree with our articles. We are happy to engage in reasoned and sometimes even not-well-reasoned debate with people who have different views – on any topic of our blog, including Whois and privacy.

      2. We’ve deleted comments in this case to give the commentators a taste of their own medicine. They believe that no one should be able to register or use a domain for public expression without providing complete and accurate identification and contact information, and making that PII available to anyone in the world who requests it. They believe that domains should be denied or taken down unless that happens. So it’s only fair to hold them to the same standard and see how they like it. The whining we’ve seen about it is truly amusing. Some people have no shame.
      Worse, these particular comments were engaged in little more than name calling (“moron,” “charlatan” etc.) It’s pretty odd for someone using a fake name and a fake email to be calling people “charlatans,” don’t you think? It’s interesting to see someone claiming to be an expert in cybersecurity investigations refuse to provide any backup for that claim, don’t you think? If you think the entire world needs to provide you with free and open personally identifiable information, it’s inexcusably hypocritical to refuse to subject yourself to the same standard, isn’t it?

      3. Learn the meaning of the word “censorship.” We are not a state actor. We are editors of our own privately run blog site. All sites moderate or take down comments that are spam, abusive, or just pointless. We have a right to do it, and that right is in fact guaranteed by the First Amendment. Read Miami Herald v Tornillo, where the Supreme Court held that exercise of editorial judgment is a protected First Amendment activity. We don’t prevent anyone from speaking their mind publicly in other places.

      1. Hey Milton, curious why two different comments I tried to leave here yesterday never got posted? It was linking back to my story that responds to some of the points made here:

        https://krebsonsecurity.com/2018/04/security-trade-offs-in-the-new-eu-privacy-law/

        Perhaps you would consider updating the above article to include my response (since you name drop me in the first paragraph, and because I extend you the same courtesy in my story).

        I find your reasoning behind deleting comments to be unconvincing, and such actions don’t support the claim that you’re interested in an open dialogue on this topic. How seriously do you expect people to take your arguments that everyone deserves complete anonymity online when you try to play !gotcha! with people who point out holes in your arguments?

        If you want to see what open dialogue looks like, take a look at my site. I think you will find that I have not sought to squelch other opinions nor deleted comments from people, regardless of how misinformed I think their opinions may be.

        I rarely, if ever delete comments; the only exceptions are true spam and people making personal threats against others. Comments loaded with profanity may get flagged as spam or held for moderation automatically.

        P.s. This marks my third attempt at getting a comment posted on this article.

  5. Seems like hypocrisy that “anonymity” in areas like domain names is expounded as a good thing, but anonymity in comments is seen as a bad thing and censored. Such hypocrisy from academia and socialist governments seems to be too common

    1. Hmmm, is “Why do you want it your real name? Is nobody@nowhere.com your real email address? I’ve sent a verification message, Mr. want it. No response and you’re going down!
      Your IP address tells me you are from Iron Mountain in Scottsdale, Arizona by the way

      1. Hey Milton, you reference Brian Krebs in your article but you don’t answer his questions. I think you’re a fraud. It’s evident you do not know anything about cyber security.

      2. I think posting Why do you want it?’s email kinda goes against the “Your email address will not be published” text on the comments form…
        Why do you feel the need to publicly post the IP location of “Why do you want it?” What does doing so add to the discussion? Considering the site lacks a privacy policy, this is highly invasive at best, even if the email is blatantly fake.

  6. You aren’t walking the talk. You do not need anyone’s name or email address to read their arguments and share yours. Very disappointing.

  7. Let’s be honest. Your mind is made up and no amount of dialog will change outcomes here.

    Your efforts to cloak transparency in the gise of “privacy” are plain and clear.

    The fact that your verbal “hairs” are standing on end in reaction to the comments being provided is a tell of your true intentions.

  8. I regularly use the command line whois command on my Linux box to check whether some application, article, post, comment or otherwise is what I would consider legitimate. I fail to see how restricting the information available to the WHOIS tools from the WHOIS database is going to help anything. If the idea is to curb the scammers, spammers, domain squatters, or what have you then perhaps changing the limit on the number of requests from whois clients to slow their progress. Currently this implementation of removing, what I consider, the important identifying information from the WHOIS records just moves the issue to the registrars who will now find their WHOIS webforms hammered to all hell by bots sifting for the information they need.

  9. A year ago I registered a numeric domain for the fun of it. Within days I had dozens of emails and postal mail offering me every web based service known to man. My information wasn’t sold by the registrar I used. In my 22 years of owning domains I have received less than 5 valid DNS/domain contacts where the information was retrieved through whois. I think we can see what Whois is really used for these days.

Comments are closed.