Deleted WHOIS Data: An Unintended Consequence of GDPR
GDPR Will Impact the Availability of WHOIS Data to Security Researchers and Investigators Unintended consequences. We see examples everywhere.
From the mundane - the New Year's resolution exercise regime that's not vetted first with a medical professional and leads to injury. To the legendary - the 100 starlings introduced to the U.S. in 1890 by a Shakespeare aficionado, that have multiplied exponentially and now wreak havoc on an ecosystem they were not naturally part of. To the ubiquitous - the development boom in prosperous cities and the fallout from congestion and lack of affordable housing.
As security professionals, next week we can expect to see another example of an unintended consequence when the General Data Protection Regulations (GDPR) goes into effect. There are actually a few unintended consequences from these new regulations, but one of the most concerning is the upcoming response that domain registrars are discussing through the global body the Internet Corporation for Assigned Names and Numbers (ICANN). As the name suggests, ICANN is responsible for maintaining the rules for WHOIS data - essentially, a telephone directory-like structure that contains detailed information on who signed up for a specific Internet domain, including their name, address, email address and telephone number.
Such data is subject to the GDPR's privacy requirements for protection. As a result, under current proposals, many of the businesses that register domains will remove key elements of information from the system. In effect, on May 25 the system will "go dark" until alternative preparations are made, which ICANN representatives expect won't start being implemented until December 2018.
GDPR is a sensible law that exists for very good reasons and, in fact, is an evolution of legislation currently in place. But in the quest to further protect the personal data and privacy of citizens of EU countries, we could be creating a riskier world. The problem is that WHOIS is routinely used by companies and individuals to fight computer fraud and other criminal activity on the Internet.
This data often serves as a trail of breadcrumbs that leads security researchers to someone obtaining domains to launch global campaigns involving spam, malware and botnets. For example, the email address listed as the technical contact for one computer domain might be the same address used in a specific malware campaign. Or an address that is associated with the primary business contact could be consistent across several registrations.
The directory is a useful tool to spot patterns, coordinate efforts and gain insight into who is likely to be responsible for malicious activity and even anticipate what their next expected behavior may be to get ahead of potential attacks. Without access to this critical resource, combatting criminal behavior on the Internet becomes much more difficult. To make matters worse, during the intervening months before an alternative solution for GDPR-compliant access is available, attackers will be able to exploit this new-found anonymity to their advantage.
We may see an uptick in spam and, more generally, in criminal activity. As we alter our methods for data handling, we could be exposing the very individuals we are striving to protect, to additional risk. However, there are ways to compensate for a lack of ready access to WHOIS data in the next several months.
We need to remember that digital risks come from all kinds of adversaries and places beyond the boundary. Digital risks include cyber threats, data exposure, brand exposure, third-party risk, VIP exposure, physical threats and infrastructure exposure. Often these threats and risks span data sources and cannot be detected in full context by any single source, or even by multiple sources used in isolation.
As I've discussed before, you need insight across the widest range of data sources possible to mitigate digital risk and better protect your organization. Those combating computer crime and fraud will benefit from further diversifying the methods for spotting criminal activity - it's not just WHOIS data. For example, monitoring Pastebin and social media for mentions of your company, IP addresses and even industry can help you determine if you've been targeted for an attack or may be, so you can proactively strengthen defenses.
Access to hacked remote server and remote desktop protocol (RDP) sites will allow you to look for mentions of your IP addresses. And monitoring the dark web can provide information on threat actor profiles to understand their motivation and gauge credibility. Additionally, security experts are speaking up and pointing out how removal of this contact information makes our fight much harder.
We need to encourage registrars that make computer domains available to revisit their proposed response. After all, it is up to them how they implement GDPR compliance measures. It is important to find an easy way to provide access while respecting the privacy of registrants.
The unintended effect of removing WHOIS data entirely, is not a good outcome for consumers or the industry.
Despite our best intentions, change often brings unintended consequences.
But by monitoring across the entire Internet for risks and sharing our perspectives, those of us responsible for fighting cybercrime can help mitigate these outcomes.