The countdown has now begun for the introduction of the General Data Protection Regulation (GDPR). Although the implications of the new regulation have been widely discussed, one of the lesser known side effects of its coming into force could jeopardize user security instead of enhancing it. This situation is due to the conflict between the obligations of the GDPR and WHOIS, the extensive system managed by ICANN (Internet Corporation for Assigned Names and Numbers) and which identifies to whom a domain belongs.
What is WHOIS and why is it important?
WHOIS is a protocol that enables you to find the names and contact details of the owners of a domain and was created by ICANN in the 1980s. It is, in fact, one of the oldest Internet tools to verify identities.
The WHOIS system is an invaluable resource for investigators and security forces: the data it provides is a first line of enquiry whenever malicious activity is detected, given that it is publicly available. Investigators use WHOIS to track the spread of malware or to discover who is really behind a malicious domain. ICANN has agreements with all domain registrars which require them to publish data such as the names, email addresses and phone numbers of those who register domains through their service.
Even though they cover all domains, the requirements of the WHOIS system are under scrutiny and it has long been suggested that it is an outdated system. Even supporters readily admit that it is easy to provide false information, and it is estimated that some 40 percent of the data could be fraudulent or inaccurate. It is also true that WHOIS has traditionally been a mine of information for hackers and spammers, who can extract data from WHOIS databases to launch spam, target registered users or steal their identity. This has led to the proliferation of services offering to conceal WHOIS data, many of which are provided by the same domain management companies.
But, what exactly is the problem that arises with the implementation of the GDPR? Currently, the WHOIS protocol publishes the names, addresses and phone numbers of those who register an Internet domain. Yet this system will become illegal under the GDPR, as it does not ask for the express consent of these people before sharing their personally identifiable data. As mentioned, some companies already offer the possibility of hiding personal data for an extra fee, but this is also not compatible with GDPR compliance.
A head-on collision between GDPR and WHOIS
The situation is not easy to resolve. The GDPR prohibits companies from publishing information that identifies individuals, which means that the agreements between domain registrars and ICANN regarding WHOIS will be illegal. And this will also hinder the work of identifying cyber-attackers.
As it stands now, it is difficult to integrate the WHOIS protocol into the GDPR regulatory framework. It cannot be claimed that the fact that this database is public helps to fulfill the original purpose for which the information was collected (registering the domain). This means that the current public WHOIS system is incompatible with the data privacy principles of the GDPR.
Last November, ICANN announced that it would not take legal action against domain registrars for failing to comply with contractual obligations regarding the management of registration data. In other words, the corporation will not act against those who do not publish the WHOIS data until a permanent solution that aligns with the GDPR requirements has been found. Nevertheless, there is a risk that an increasing amount of personal data will be deleted from the public WHOIS database, as it is easier for companies simply to eliminate sensitive data than to invest time in properly implementing the measures required by the GDPR. In fact, GoDaddy, the world’s largest domain registrar, announced in January that it would retract bulk searches of WHOIS contact details for its 17 million customers and it is feared that many other registrars will follow suit before May 25.
Some years ago, ICANN created a working group to study ways of protecting privacy, preserving freedom of expression and, taking into account consumer protection and the public interest, to ensure confidence and competitiveness. Its recommendations indicated the need to have a system of ‘informing’, designed to replace WHOIS’ publicly available information. As early as 2012, ICANN proposed a solution, which was to implement a Registration Directory Service (RDS) which would run an automatically updated database filled with domain registration data from all the accredited registries. The data would be “gated” by default, unlike what happens with WHOIS. However, six years later the organization does not seem to be any closer to implementing this proposal.
ICANN is in a difficult position. On the one hand, it is under pressure from security experts who rely on WHOIS data to investigate crimes or mitigate the effects of attacks. On the other hand, the organization also has to adapt to the GDPR to protect the personal data of Internet users. Will it be able to find a viable way of balancing the security forces’ need-to-know with right to privacy of users?
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
2 comments
Hi article is very nice and clear. GDPR is the IT buzz word,,,,but most of them are not cleat about the concept.
What will happen if company is not act with GDPR
i hope this may clear all douts.
The redaction of public availability of registration data has been long overdue.
We live in a world where lots of small business and private individuals have had to pay to obscure their private information from the millions of scammers, criminals and weirdos trying to get hold of those details.
If security researchers are legitimate, let them go through the vetting process of being an accredited third-party with access to the data. There are certainly a lot less of them than there are of the nefarious people interested in the data.
The general principle is that personal data should be private, and those with legitimate reasons to access that data should be registered so that their activities can be tracked to ensure that that access is not being abused. That is, trust no-one, unless they prove themselves.
While we are at it, isn’t it a huge abuse to allow companies, like Google, that have never sold a domain name, to have access to mass domain registration data, just so they can use it to target people for their advertising business.