4/29/2018 WHOIS afraid of the dark? Truth or illusion, let's know the difference when it comes to WHOIS - Internet Governance Project WHOIS afraid of the dark? Truth or illusion, let’s know the di(cid:220)erence when it comes to WHOIS Posted on April 25, 2018 by Farzaneh Badii, Ra�k Dammak and Ayden Férdeline | IG Institutions, Privacy & Surveillance “Martha: Truth or illusion, George; you don’t know the difference. George: No, but we must carry on as though we did. Martha: Amen.” Edward Albee, Who’s Afraid of Virginia Woolf? https://www.internetgovernance.org/2018/04/25/whois-afraid-dark-truth-illusion-lets-know-difference-comes-whois/ 1/16 4/29/2018 WHOIS afraid of the dark? Truth or illusion, let's know the difference when it comes to WHOIS - Internet Governance Project Since February, the prominent security reporter Brian Krebs has been writing on his widely-read blog, Krebs on Security, that publicly-accessible WHOIS records are essential to tackling cybercrime. His analysis, coupled with his reputation in the �eld, has seen campaigns like #WeNeedWHOIS launched to prevent WHOIS from “going dark” because of the privacy protections in Europe’s General Data Protection Regulation. There’s just one problem: WHOIS isn’t going dark; the only �elds that are going to be cloaked are those that cybersecurity researchers and investigators might not even need in order to do their jobs. Those who need additional information, such as law enforcement agencies involved in a legitimate investigation, will be able to get more. In this post, we will explore the small changes coming to the WHOIS, and we will reveal how little an impact they are likely to have when you �ght spam, botnets, and DDoS attacks. It is true that some users of WHOIS, such as trademark attorneys, may need to re-think the methods they use to contact registrants, but cybersecurity research will still be able to take place provided you do not access the personal information of domain name registrants. WHOIS won’t go dark, and it won’t go away. We would like to begin by debunking the myth that with enforcement of the European Union’s General Data Protection Regulation (GDPR) coming into effect, WHOIS will go dark. All of the data �elds which exist today will continue to exist in WHOIS, with all the same data continuing to be collected. However, a very small number of �elds will no longer be publicly displayed. Fields which contain the personal information of domain name registrants, such as their home address or phone number, will have to be removed from public view. The majority of �elds, and all which are critical to the operation of the Domain Name System, like nameservers and expiration dates, will remain public. Security researchers who do not rely on personal and sensitive information in order to carry out their work will not be impacted in any way by the GDPR. Security researchers will still have access to the zone �le, as it does not contain any personal information. If there is a need for a searchable WHOIS system, which includes proportionate access to personal information, then there will need to be some kind of accreditation mechanism developed to enable those parties with a legitimate need to retrieve these records to do https://www.internetgovernance.org/2018/04/25/whois-afraid-dark-truth-illusion-lets-know-difference-comes-whois/ 2/16 4/29/2018 WHOIS afraid of the dark? Truth or illusion, let's know the difference when it comes to WHOIS - Internet Governance Project so. This mechanism is not in place yet in an automated fashion, however its absence does not mean WHOIS is going dark. A fundamental principle of data protection law is that the processing of personal data should be limited to that which is necessary for a de�ned purpose. Security researchers do not need to be able to identify a domain name registrant, which is the case today where the WHOIS is a public directory of personal information. What most security researchers need is to be able to contact a domain name registrant in case of a technical issue, and this will continue to be the case. One key change is that you will no longer be able to see a registrant’s email address. Under the GDPR, email addresses are considered personal information and must therefore be stored and processed according to strict privacy and security guidelines. As the GDPR was adopted to harmonize the power balance between data controllers, data processors, and data subjects, it would be an unfair burden on the registrant to expect them to use an email address in their registration that could not identify them. If you need to get in touch with a website’s administrator, you will be able to do so in what is a less intrusive manner of achieving this purpose: by using an anonymized email address, or webform, to reach them (The exact implementation will depend on the registry). If this change is inadequate for your “private detective” activities and you require full WHOIS records, including the personal information, then you will need to declare to a domain name registry your speci�c need for and use of this personal information. Nominet, for instance, has said that interested parties may “request the full WHOIS record (including historical data) for a speci�c domain and get a response within one business day for no charge.” Security researchers and businesses that harvest personal information from the WHOIS today on an industrial scale may need to re�ne and remodel their research methods and their business models. As we have seen in other �elds like clinical care, research can be effectively undertaken with anonymized data to identify patterns. Privacy/proxy services didn’t break the Internet. For several years now, some of the WHOIS records have already been cloaked by privacy/proxy services, and the Internet as we know it has not come to an end. While a https://www.internetgovernance.org/2018/04/25/whois-afraid-dark-truth-illusion-lets-know-difference-comes-whois/ 3/16 4/29/2018 WHOIS afraid of the dark? Truth or illusion, let's know the difference when it comes to WHOIS - Internet Governance Project registrant’s personal information is not available for everyone to see, if you have a legitimate need for a registrant’s home address or phone number, you can contact the privacy/proxy service to request the information. If you have a legitimate need for it, your request will likely be granted, and if they do not cooperate, you could even apply for a court order to require the registrant’s privacy service to disclose this information. People register domain names because they want to speak, to share knowledge, to uncover corruption. Being able to speak anonymously protects people with unpopular but lawful opinions, allowing them to be heard without fear of reprisal or harm. Privacy/proxy services protect whistleblowers who expose crimes, and they protect cybersecurity researchers, who too would most likely not want their home address scattered all over the Internet. Domain name registrants whose personal information is kept private signi�cantly reduces the registrant’s risk of suffering from harassment, intimidation, and identity theft. When privacy/proxy services came into effect, some among the anti-spam community argued that those who use such services would most likely be engaged in illegal activities. This, however, turned out to be conjecture. While a small percentage of registrants who use privacy/proxy services do engage in illegal activities, a 2013 study by Clayton and Mans�eld (p.18) found that “When domain names are registered with the intent of conducting illegal or harmful Internet activities then a range of different methods are used to avoid providing viable contact information – with a consistent outcome no matter [whether or not a privacy/proxy service] is used.” In other words, those who register domain names to carry out illegal activities do not provide accurate contact information whether they use a privacy/proxy service or not, so it does not stand to reason that the removal of personal information from the public WHOIS output will lead to an increase in illegal activities. The GDPR is an evolution, not a revolution. Gregory Mounier from Europol has been quoted as stating it will be dif�cult for security researchers to mitigate against botnets if there is no accreditation system in place when enforcement of the GDPR begins: https://www.internetgovernance.org/2018/04/25/whois-afraid-dark-truth-illusion-lets-know-difference-comes-whois/ 4/16 4/29/2018 WHOIS afraid of the dark? Truth or illusion, let's know the difference when it comes to WHOIS - Internet Governance Project “If you don’t have an accreditation system by 25 May then there’s no means for cybersecurity folks to get access to this information …Let’s say you’re monitoring a botnet and have 10,000 domains connected to that and you want to �nd information about them in the WHOIS records, you won’t be able to do that anymore. It probably won’t be implemented before December 2018 or January 2019, and that may mean security gaps for many months.” This statement is incorrect. The GDPR only applies to personal information like a registrant’s name, home address, and email address, and it does not impact other, more useful WHOIS data elements. Most botnet monitoring today occurs through machine learning and is often an automatic process. The data elements that automated processes use to mitigate against botnets will remain accessible. Moreover, Mounier’s example does not seem to be about the urgent mitigation of botnets, but about an ongoing investigation that entails monitoring and �nding information about the perpetrators. That is �rmly within the territory of law enforcement agencies, who will, through a system of tiered access, have immediate access to the WHOIS data of registrants. It does not follow that publishing personal data for everyone in the world to retrieve is the appropriate way to serve these legitimate purposes. Rod Rasmussen, the chair of ICANN’s Security and Stability Advisory Committee, was quoted as saying: “A lot of people who are using this data won’t be able to get access to it, and it’s not going to be pretty. Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in peoples’ inboxes will be climbing rapidly because a lot of anti-spam technologies rely on WHOIS for their algorithms.” We disagree. Spam is not going to increase with the advent of the GDPR. Actually domain name registrants, whose emails are currently public, may soon receive less spam in their inboxes. WHOIS is not a suf�cient proxy for identifying a spammer, and while it may be one tool in a spam �ghter’s toolkit, there are other, better tools that can be used, like IP address blacklists, keywords, and machine learning that can protect our inboxes from unsolicited messages. All in all, it seems ‘WHOIS going dark’ in this context means that anti-spam businesses which have monetized the indiscriminate access to personal https://www.internetgovernance.org/2018/04/25/whois-afraid-dark-truth-illusion-lets-know-difference-comes-whois/ 5/16 4/29/2018 WHOIS afraid of the dark? Truth or illusion, let's know the difference when it comes to WHOIS - Internet Governance Project information of people in WHOIS, will not be able to monetize it for awhile. If the anti-spam community relies on the personal information of people in order to create its algorithms and tackle spam, then it should rethink its business model. After all, as the anti-spam community itself has said, WHOIS is only one tool to �ght spam with! It’s time to consider the privacy implications of our own activities and how they could impact trust in the shared, global Internet. There is no question that the work undertaken by cybersecurity experts to mitigate the activities of malicious actors is vital for the security and stability of the Internet. However, like any complex and continually evolving challenge, there are multiple interests that must be balanced. The unfettered use by researchers of the personal information of domain name registrants is disproportionate and unjusti�able, because it does and has exposed these individuals to abuse. We need to be more creative when it comes to �ghting security challenges like botnets and spam. Using the personal data of domain name registrants, retrieved from WHOIS, is no longer the best approach. There are machine learning solutions to �ght botnets, for instance, that do not depend on the personal information of a domain name registrant, because quite often these records are incomplete or inaccurate. If you have a need to contact a website administrator, you will still be able to do so come May 25, but if you need to identify someone, then your request will need to be examined for necessity and proportionality. It concerns us greatly that the Internet can be used to perpetrate crime, and we fervently support bottom-up, agile multistakeholder approaches to policy making. While we recognize the important role of the private sector in combating cyber attacks through the use of the Domain Name System, the WHOIS in its present form does not comply with data protection law. Adherence to the law is key: stopping a phishing attack, important as that may be, simply does not justify breaking another law or violating the individual rights of innocent Internet registrants. ICANN has had a long history of violating basic data protection norms. We have documented at least 15 letters to ICANN from Data Protection Authorities, the International Working Group on Data Protection in Telecommunications (‘Berlin Group’), https://www.internetgovernance.org/2018/04/25/whois-afraid-dark-truth-illusion-lets-know-difference-comes-whois/ 6/16 4/29/2018 WHOIS afraid of the dark? Truth or illusion, let's know the difference when it comes to WHOIS - Internet Governance Project and the European Data Protection Supervisor between 2000 and 2018. Indeed, it was the assessment of the Berlin Group back in 2000 that the WHOIS then was not �t for purpose. And it was the opinion of the Berlin Group in 2017 that, “It is questionable whether it is the role of ICANN, as a private corporation, to require its contracted parties to assemble data and provide it, without regard to human rights concerning fair legal procedure, to the global law enforcement community, and to private sector security companies.” The privacy rights of domain name registrants have been ignored for far too long by ICANN. While proxy/privacy services provided some level of protection, they were marketed as a value-added service and had minimal consumer uptake. As our understandings of privacy have evolved, and the implications of modern technologies on our society have become more apparent, people around the world have expressed concerns over how their personal data is used, and what control they have over it, in our new, data-powered world. It is up to all of us who care deeply about the future of the Internet to consider how we can respect the fundamental right to privacy, something bestowed upon all of us, while carrying out our own missions. This is not just about adhering to the GDPR or other privacy and data protection laws; this is about recognizing that information that can identify people is personal data. If we are to meet the challenges of globalization, use data to deliver new products and services, and keep the Internet a trusted place for everyone everywhere, we all need to think carefully about how we can respect the privacy rights of Internet users. 7 thoughts on “WHOIS afraid of the dark? Truth or illusion, let’s know the di(cid:220)erence when it comes to WHOIS” MICHAEL MEALLING April 25, 2018 at 14:35 https://www.internetgovernance.org/2018/04/25/whois-afraid-dark-truth-illusion-lets-know-difference-comes-whois/ 7/16 4/29/2018 WHOIS afraid of the dark? Truth or illusion, let's know the difference when it comes to WHOIS - Internet Governance Project “A fundamental principle of data protection law is that the processing of personal data should be limited to that which is necessary for a de�ned purpose.” This is where I have a fundamental question about GDPR. Have I know lost the freedom to publish information about myself voluntarily? I don’t want my public personal data limited to that which is de�ned by the purpose. I want to add _more_ than that. So am I PREVENTED from putting my actual email address in WHOIS? REPLY MILTON MUELLER April 25, 2018 at 18:26 You can publish any information about yourself you like. the whole point of data protection laws is to give you that choice, so it limits what other people do with your data, not what you do with it. REPLY JOHN CHRIS April 25, 2018 at 18:01 A couple of non-security researcher, non-infosec people making claims about what kind of data is required for security operations. Have you ever conducted a fraud investigation, or dealt with an intrusion, or maintained a mail server? You clearly haven’t. You make con�dent claims about a line of work you know nothing about. Georgia Tech do you let any charlatan write blog posts? REPLY MILTON MUELLER April 25, 2018 at 18:24 John Chris: FYI, we do a lot of cybersecurity research here. Check our research section. And by the way, who are you? I suspect you are a fraud. https://www.internetgovernance.org/2018/04/25/whois-afraid-dark-truth-illusion-lets-know-difference-comes-whois/ 8/16 4/29/2018 WHOIS afraid of the dark? Truth or illusion, let's know the difference when it comes to WHOIS - Internet Governance Project Please publish your full name, home address and email in your comment. Otherwise we will delete your comment. REPLY JOHN CHRIS April 26, 2018 at 01:01 Comments disagreeing with you are fraudulent? Demanding home address on penalty of censorship? This is rich! The article contradicts several people who are accomplished experts in their �eld and fails to provide proof as to why these experts are wrong about their own line of work. Can the authors please share the magical anti spam tools that will discover all related domains without any of the requisite information to do so? The rest of us would love a copy of that software. The authors of this article are stepping far outside their area of expertise and should stop making claims about areas of work they aren’t involved with. “Most botnet monitoring today occurs through machine learning and is often an automatic process. ” is one statement that proves lack of relevant work experience. Machine learning is one part, helpful but absolutely not suf�cient to do what you claim, and is an overblown marketing buzzword. Anyone in this �eld would know that. Numerous malware reports include WHOIS as a pivotal aspect. I won’t go into the other ignorant statements. This policy report is too full of them. REPLY MILTON MUELLER April 26, 2018 at 10:46 This is indeed rich. You’re using a fake name and you demand that every person in the world who registers a domain name must be compelled to provide detailed personally identi�able information to https://www.internetgovernance.org/2018/04/25/whois-afraid-dark-truth-illusion-lets-know-difference-comes-whois/ 9/16 4/29/2018 WHOIS afraid of the dark? Truth or illusion, let's know the difference when it comes to WHOIS - Internet Governance Project anyone in the world who requests it. You refuse to provide additional information authenticating your claim to be an “expert” in investigations. You are a hypocrite, sir. And your critique of the article is full of holes. Which data elements in Whois form an essential part of malware reports and would they be lost, or just a bit harder to get post-GDPR? Can you even answer that question? Why does an email address need to be publicly displayed to any spammer in the world? What is wrong with access to the sensitive data being limited to bona �de law enforcement agencies? Until and unless you engage with those questions you are just playing a game of distortion and scare tactics. Doing so under cover makes your tactics even more dishonest. REPLY JOHN CHRIS April 26, 2018 at 15:11 I thought you had such a respect for privacy that you would be capable of engaging with the content of my message without feeling the need to ascertain exactly who I am and where I live. And I am not even phishing anyone, I am merely committing the sin of dissent! You should be celebrating the fact that I can challenge your arguments and you have no way to affect my life outside of this webform. I am also not making the statements you claim I am making, not demanding that registrants broadcast anything. I am simply saying that the https://www.internetgovernance.org/2018/04/25/whois-afraid-dark-truth-illusion-lets-know-difference-comes-whois/ 10/16
Description: