By Michael Hausding, SWITCH-CERT
Thursday, April 12th, 2018
The General Data Protection Regulation (GDPR) is a regulation by the EU that comes into effect on 25 May 2018. The goal of the GDPR is to protect the fundamental right of natural persons in relation to the processing of their personal data. One industry that processes personal information and that is heavily affected by the GDPR is the domain name industry, registries and registrars and the organization that coordinates the domain name system, ICANN. Registries and registrars store and process personal information that is used to register domain names. The main issue here is ambiguity in the application of the GDPR and the widespread interpretation that the identity of the registrant of a domain name can not be published without risking fines in a system called WHOIS. While this protects the privacy of the registrant it will give criminals more anonymity for registering domain names and will most likely affect the security of the Internet users. The underlying conflict is not new. It is the discussion if more privacy will lead to less security. Based on the current issue of WHOIS privacy, my opinion is that privacy and security are not antagonists, but two important and correlated properties that are both essential for a safe Internet.
Until now personal data of the owner or “registrant” of a domain name is published in a public available address book called the WHOIS. With the GDPR in place this will most likely stop. According to the “Proposed Interim Model for GDPR Compliance by ICANN”, personal information of natural persons who registered a domain name will no longer be easily accessible for the public. But without that information, the question "who is responsible for a certain domain name?" and “who is responsible of emails and websites that use this domain name?” can not easily be answered anymore.
This is good for the privacy of natural persons who registered a domain name. Their personal identifiers, like their phone number, their address and email is no longer public available and protected.
But domain names are not only registered by citizens who want to run a personal website. Domain names are also registered by criminals for getting sensitive information from Internet users (Phishing), to spread malicious software or to send Spam to Internet users. And these criminals benefit even more from WHOIS privacy. Even though criminals use fake or stolen identities to register domain names most of the time, these identifiers are invaluable for detecting and preventing Internet crime that depends on domain names, like any legal online business. Automatically hiding this identifiers from anti cybercrime organizations will give criminals a big advantage.
Law enforcement, security researchers, the Anti Virus (AV) vendors and Computer Emergency Response Teams (CERTs) are the most active organization in fighting cybercrime and protecting Internet users rely on this publicly available WHOIS information in the public interest. They will lose access to the public WHOIS on 25 May 2018, and with that some of their ability to detect and prevent fraud and Internet crime. One possible and most likely consequence is, that criminals can hide more easily and operate malicious software, phishing and fraud with more success. And this is bad for the privacy of most Internet users, as they are more likely to receive more phishing emails, loose confidential data via social engineering attacks or having their personal files stolen on their computer by malicious software. So the loss of Internet security through WHOIS privacy will most likely result in more privacy violations by criminals.
This issue has been identified by ICANN and organizations who rely on WHOIS data some time ago. There is Interim model for a layered access including a proposal for an accreditation process for non governmental organizations, that would give access to the registrant data. But it is nearly impossible that it will be implemented by 25 May and there are many open questions, like what is with ccTLD WHOIS data, and only few answers. On 28 March, ICANN asked the European data protection authorities to "help ICANN and the domain name registries and registrars to maintain the global WHOIS in its current form, through either clarification of the GDPR, a moratorium on enforcement or other relevant actions, until a revised WHOIS policy that balances these critical public interest perspectives may be developed and implemented."
This is an serious issue, and we need a solution that is protecting both, the security of the Internet users and the privacy of legitimate domain name registrants. Let’s hope that all involved parties find an interim solution until all open questions can be answered. FIRST.org offered its support to ICANN in an open letter by Chairman Thomas Schreck.
European Union. EUR-Lex (2016). General Data Protection Regulation (GDPR)
The Internet Corporation for Assigned Names and Numbers (ICANN, no date) About WHOIS.
The Internet Corporation for Assigned Names and Numbers (ICANN, 2018) [Proposed Interim Model for GDPR Compliance by ICANN
The Internet Corporation for Assigned Names and Numbers (ICANN, 2018) ICANN Requests DPA Guidance on Proposed Interim Model for GDPR Compliance