The countdown has now begun for the introduction of the General Data Protection Regulation (GDPR). Although the implications of the new regulation have been widely discussed, one of the lesser known side effects of its coming into force could jeopardize user security instead of enhancing it. This situation is due to the conflict between the obligations of the GDPR and WHOIS, the extensive system managed by ICANN (Internet Corporation for Assigned Names and Numbers) and which identifies to whom a domain belongs.
What is WHOIS and why is it important?
WHOIS is a protocol that enables you to find the names and contact details of the owners of a domain and was created by ICANN in the 1980s. It is, in fact, one of the oldest Internet tools to verify identities.
The WHOIS system is an invaluable resource for investigators and security forces: the data it provides is a first line of enquiry whenever malicious activity is detected, given that it is publicly available. Investigators use WHOIS to track the spread of malware or to discover who is really behind a malicious domain. ICANN has agreements with all domain registrars which require them to publish data such as the names, email addresses and phone numbers of those who register domains through their service.
Even though they cover all domains, the requirements of the WHOIS system are under scrutiny and it has long been suggested that it is an outdated system. Even supporters readily admit that it is easy to provide false information, and it is estimated that some 40 percent of the data could be fraudulent or inaccurate. It is also true that WHOIS has traditionally been a mine of information for hackers and spammers, who can extract data from WHOIS databases to launch spam, target registered users or steal their identity. This has led to the proliferation of services offering to conceal WHOIS data, many of which are provided by the same domain management companies.
But, what exactly is the problem that arises with the implementation of the GDPR? Currently, the WHOIS protocol publishes the names, addresses and phone numbers of those who register an Internet domain. Yet this system will become illegal under the GDPR, as it does not ask for the express consent of these people before sharing their personally identifiable data. As mentioned, some companies already offer the possibility of hiding personal data for an extra fee, but this is also not compatible with GDPR compliance.
A head-on collision between GDPR and WHOIS
The situation is not easy to resolve. The GDPR prohibits companies from publishing information that identifies individuals, which means that the agreements between domain registrars and ICANN regarding WHOIS will be illegal. And this will also hinder the work of identifying cyber-attackers.
As it stands now, it is difficult to integrate the WHOIS protocol into the GDPR regulatory framework. It cannot be claimed that the fact that this database is public helps to fulfill the original purpose for which the information was collected (registering the domain). This means that the current public WHOIS system is incompatible with the data privacy principles of the GDPR.
Last November, ICANN announced that it would not take legal action against domain registrars for failing to comply with contractual obligations regarding the management of registration data. In other words, the corporation will not act against those who do not publish the WHOIS data until a permanent solution that aligns with the GDPR requirements has been found. Nevertheless, there is a risk that an increasing amount of personal data will be deleted from the public WHOIS database, as it is easier for companies simply to eliminate sensitive data than to invest time in properly implementing the measures required by the GDPR. In fact, GoDaddy, the world’s largest domain registrar, announced in January that it would retract bulk searches of WHOIS contact details for its 17 million customers and it is feared that many other registrars will follow suit before May 25.
Some years ago, ICANN created a working group to study ways of protecting privacy, preserving freedom of expression and, taking into account consumer protection and the public interest, to ensure confidence and competitiveness. Its recommendations indicated the need to have a system of ‘informing’, designed to replace WHOIS’ publicly available information. As early as 2012, ICANN proposed a solution, which was to implement a Registration Directory Service (RDS) which would run an automatically updated database filled with domain registration data from all the accredited registries. The data would be “gated” by default, unlike what happens with WHOIS. However, six years later the organization does not seem to be any closer to implementing this proposal.
ICANN is in a difficult position. On the one hand, it is under pressure from security experts who rely on WHOIS data to investigate crimes or mitigate the effects of attacks. On the other hand, the organization also has to adapt to the GDPR to protect the personal data of Internet users. Will it be able to find a viable way of balancing the security forces’ need-to-know with right to privacy of users?