March 16, 2018

Security researchers who rely on data included in Web site domain name records to combat spammers and scammers will likely lose access to that information for at least six months starting at the end of May 2018, under a new proposal that seeks to bring the system in line with new European privacy laws. The result, some experts warn, will likely mean more spams and scams landing in your inbox.

On May 25, the General Data Protection Regulation (GDPR) takes effect. The law, enacted by the European Parliament, requires companies to get affirmative consent for any personal information they collect on people within the European Union. Organizations that violate the GDPR could face fines of up to four percent of global annual revenues.

In response, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit entity that manages the global domain name system — has proposed redacting key bits of personal data from WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges (IP addresses).

Under current ICANN rules, domain name registrars should collect and display a variety of data points when someone performs a WHOIS lookup on a given domain, such as the registrant’s name, address, email address and phone number. Most registrars offer a privacy protection service that shields this information from public WHOIS lookups; some registrars charge a nominal fee for this service, while others offer it for free.

But in a bid to help registrars comply with the GDPR, ICANN is moving forward on a plan to remove critical data elements from all public WHOIS records. Under the new system, registrars would collect all the same data points about their customers, yet limit how much of that information is made available via public WHOIS lookups.

The data to be redacted includes the name of the person who registered the domain, as well as their phone number, physical address and email address. The new rules would apply to all domain name registrars globally.

ICANN has proposed creating an “accreditation system” that would vet access to personal data in WHOIS records for several groups, including journalists, security researchers, and law enforcement officials, as well as intellectual property rights holders who routinely use WHOIS records to combat piracy and trademark abuse.

But at an ICANN meeting in San Juan, Puerto Rico on Thursday, ICANN representatives conceded that a proposal for how such a vetting system might work probably would not be ready until December 2018. Assuming ICANN meets that deadline, it could be many months after that before the hundreds of domain registrars around the world take steps to adopt the new measures.

Gregory Mounier, head of outreach at EUROPOL‘s European Cybercrime Center and member of ICANN’s Public Safety Working Group, said the new WHOIS plan could leave security researchers in the lurch — at least in the short run.

“If you don’t have an accreditation system by 25 May then there’s no means for cybersecurity folks to get access to this information,” Mounier told KrebsOnSecurity. “Let’s say you’re monitoring a botnet and have 10.000 domains connected to that and you want to find information about them in the WHOIS records, you won’t be able to do that anymore. It probably won’t be implemented before December 2018 or January 2019, and that may mean security gaps for many months.”

Rod Rasmussen, chair of ICANN’s Security and Stability Advisory Committee, said ICANN does not have a history of getting things done before or on set deadlines, meaning it may be well more than six months before researchers and others can get vetted to access personal information in WHOIS data.

Asked for his take on the chances that ICANN and the registrar community might still be designing the vetting system this time next year, Rasmussen said “100 percent.”

“A lot of people who are using this data won’t be able to get access to it, and it’s not going to be pretty,” Rasmussen said. “Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in peoples’ inboxes will be climbing rapidly because a lot of anti-spam technologies rely on WHOIS for their algorithms.”

As I noted in last month’s story on this topic, WHOIS is probably the single most useful tool we have right now for tracking down cybercrooks and/or for disrupting their operations. On any given day I probably perform 20-30 different WHOIS queries; on days I’ve set aside for deep-dive research, I may run hundreds of WHOIS searches.

WHOIS records are a key way that researchers reach out to Web site owners when their sites are hacked to host phishing pages or to foist malware on visitors. These records also are indispensable for tracking down cybercrime victims, sources and the cybercrooks themselves. I remain extremely concerned about the potential impact of WHOIS records going dark across the board.

There is one last possible “out” that could help registrars temporarily sidestep the new privacy regulations: ICANN board members told attendees at Thursday’s gathering in Puerto Rico that they had asked European regulators for a “forbearance” — basically, permission to be temporarily exempted from the new privacy regulations during the time it takes to draw up and implement a WHOIS accreditation system.

But so far there has been no reply, and several attendees at ICANN’s meeting Thursday observed that European regulators rarely grant such requests.

Some registrars are already moving forward with their own plans on WHOIS privacy. GoDaddy, one of the world’s largest domain registrars, recently began redacting most registrant data from WHOIS records for domains that are queried via third-party tools. And experts say it seems likely that other registrars will follow GoDaddy’s lead before the May 25 GDPR implementation date, if they haven’t already.


62 thoughts on “Who Is Afraid of More Spams and Scams?

  1. North Korea Internet User

    Most spamvertsied websites have spoofed WHOIS information so will this matter?

    1. Roberto

      Whether the information is real or fake it doesn’t matter if you’re tracking cyber criminal activities. You just need miscreants reusing the information over and over.

      1. BrianKrebs Post author

        Roberto is dead on. Even when they use intentionally misleading or false information in WHOIS records, chances are they do that repeatedly, so it still helps in tracking resources and patterns across multiple nicknames and networks.

          1. Rob McEwen

            See the link at the end of this comment for a writeup about what Spamhaus has to say about that. This is a very negative factor when it comes to mail sending. Those who desire their mail to be respected should be more transparent about their identity. Therefore, a hidden whois record is STILL informative. But if they ALL are hidden (legit and spammers) then that is one less tool for spam fighters.

            https://www.spamresource.com/2010/02/whois-privacy-protect-what-spamfighters.html

          1. BrianKrebs Post author

            Nay, miscreants is a great word. You have to use it from time to time because you can only say cybercriminal so many times before someone starts making fun of you for prefacing everything with the word “cyber.”

        1. Jan Peeters

          “chances are they do that repeatedly” is just not good enough.
          And btw, they don’t. Only if they are dumb and/or lazy.
          And professional spammers are neither.

          1. BrianKrebs Post author

            Professional spammers are neither? Perhaps you should have a look at my book, Spam Nation. It profiled most of the biggest, professional spammers, virus writers and scammers the Internet has ever seen. Guess what? They *all* routinely re-used real or fake information across a multiplicity of profiles and online assets. How else do you think I was able to identify who these people were in real life?

          2. SkunkWerks

            “Only if they are dumb and/or lazy.”

            If it’s one thing that six years as a Sysadmin has taught me, it’s the above is less an exception and more the rule.

            Insisting it’s the exception is pretty much what leads to every gasp of “inconceivable horror” as we watch (and have watched) the most elementary of OpSec mistakes being regularly committed by the parties we seem to think should be immune from committing such oversights- governments, big internet companies, programmers, and yes, cyber-criminals too.

            And don’t mistake me here, I’m not saying laziness/sloppiness is a quality that’s the bosomest of buddies with the Information security sector (both black and white hats alike- and everything in-between) in particular.

            More like: it’s pretty inseparable from the Human Condition in general.

            Think of every time you’ve hired a home improvement contractor, only to have another one come along and correct the oversight of the last one.

            And if it’s not outright incompetence/oversight, it’s often a matter of deliberateness. Ego isn’t exactly in short supply in the sector, and plenty of people on both sides of the line like to leave their proverbial “Kilroy Was Here” all over their work.

            Yeah, I’m sorry, but if you think this kind of “sloth” is rare, you’re deluding yourself here.

  2. ScottishInternet User

    > a proposal for how such a vetting system might work
    > probably would not be ready until December 2018.

    Not like they didn’t know this was coming. To be whining about something six months out is a bit late.

    1. Frank

      People tend to forget that the GDPR is effective since May 2016. What we’re seeing is the end of a 2 year grace period or as ICANN calls it “forebearance”.

      IMHO it would be a bad signal to the people if they’d get away with it.

      I myself use whois privacy on my domains ever since I was targeted by spear phishing campaigns with more data about myself as I’d like. And yes I used whois in order to get some starting points for the police but you know what? It took months to get hold on someone who actually understood what I was talking about which lead me to feel like I have to take actions to protect myself and I was very pissed to find out that my country’s registrar forbids whois privacy and my country’s law puts a heavy enough fine on faking that data that I was forced into either moving away from the registrar or or put myself into a position where I actively and intentionally disobey law. Not cool.

  3. Tammy

    The bad actors waiting in the wings must be rubbing their hands with glee! Well done eurocrats, and we all will be.

  4. Chris Nielsen

    This is wrong on so many levels. A few thoughts on this:

    – In the first place, WHOIS information is created by the person registering the domain. Along with WHOIS privacy services, registrants can enter whatever they want, including “false” information. Of course that’s against the “rules”, but we know it’s common. The WHOIS information does not generally come from the users “account information”, so isn’t it the responsibility of the user to assume or not assume the “risk” of entering accurate WHOIS information?

    I DO think that WHOIS records should be protected from automated information gathering of email and phone data. But if someone wants to market to be using my street address I don’t have a problem with that – it’s public information.

    – There is another option that could be used to contact domain owners or those providing the hosting for a domain. That is the fact that most DNS zone files have a contact email address in the record.

    For this site the information is:

    SOA 83 ms
    IN ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300 21600

    or hostmaster@google.com

    While this is less than desirable (especially for hosts) it does provide another line of inquiry and could inspire the hosting industry to take up the slack by creating something located in zone files that could be use to communicate with site/domain owners in the future. Even if it was a blind “one-way” method it would be better than nothing.

    – I for one am SICK of being bullied by the EU and ICANN. While ICANN has done a few things right I think they have done many more incorrectly and earned the nickname of “ICAN’T”. The current glut of new TLD trash is a sad joke in my opinion. It would have been better to just allow whatever people wanted for a TLD with only a few limitations. I might even register http://www.chris.nielsen if it was an option.

    1. Jan Peeters

      You can’t register a website, but you can register a domain name.
      This says something about the knowledge people here have about the ‘technical aspects of the internet.
      Brian, you don’t really help them by spreading #fakenews.

      1. BrianKrebs Post author

        Jan, if you really believe this is “fake news” then I have to believe you know exactly zero about tracking spammers and scammers.

  5. Rick

    I use that information every day to chase phishing landing pages targeting my customers. This decision makes it near impossible to continue to chase down the miscreants and will impact the cyber safety of my customers.

    I see lawsuits coming on.

    1. William

      Lawsuits int he US will do nothing to stop this from happening. since the registrars operate internationally and/or collect information on folks int he EU they are subject to this regulation. It may be indirectly through various treaties and agreements with individual members of the EU but this law will cause issues for US companies regardless of where they are located if they have information on EU members.

    2. patti

      Is it possible the EU legislators are in the pocket(s) of international money scams? Here in the US, they’re unwinding toxics protections (thing: the EPA) to help corporations.

      1. Phil

        No it’s a side effect of GDPR which ICANN is only now whinging about. GDPR has been on it’s way for several years so it’s a little pathetic that ICANN have taken this long to identify the problem.

  6. Mike

    Why wipe for everyone. If it only applies to Europeans, then why wipe the rest. It would save them work. A question by registrars whether they were in the EU, or by their address should clear the problem, shouldn’t it?

  7. Matt Fahrner

    It isn’t just researchers who need this data. Whois is regularly used by organizations to determine whether traffic or web sites are legitimate, identifying attackers, combatting cybersquatting/typosquatting, and solving email issues.

    It is also used to aid in buying and transferring domains, so it may make domain commerce more difficult.

    It seems to me, a better direction would be to simplify creating private domains. In general it is important that this information is available for simple administrative purposes.

    The views above are my own and do not necessarily reflect that of my employer.

  8. Blake

    I don’t understand why this is an issue. Everyone listed in WHOIS willingly agreed to provide the information and make it a matter of public record. No one was forced against their knowledge or will to provide this info.

    1. ChrisM

      @Blake – “Everyone listed in WHOIS willingly agreed to provide the information and make it a matter of public record.”
      You are right. In my research of GDPR (still ongoing, btw), If ICANN can get consent from the registrant that their information be used for WHOIS, then it CAN be made into a public record.
      This is one of the 2 loopholes I see with GDPR.
      The other one is ICANN’s possible right to collect this information for the purposes that Brian has mentioned on this article.
      GDPR is meant to provide privacy to EU Citizens but it does bleed into WHOIS (sadly).

      1. Russell

        I thought the same thing initially, based on my research and basic understanding of GDPR though I reached a different conclusion. Unfortunately, and I may be interpreting this wrong, consent must be given freely and unconditionally. https://gdpr-info.eu/art-7-gdpr/ (point 4)

        The argument can easily be made that while you may need to provide the information upfront to aquire the services/processing, there is no reason that the information would need to be processed in a way that makes it publically available.

        Once again, just my quick interpretation based on conversations which I have had with different individuals on GDPR and how it may effect our various companies.

        1. Lionel

          again WRONG, Consent applies only to non-sensitive, non public data.

          It’s worth reading the WHOLE regulation.

          Ciao,

    2. vb

      Most everyone listed in WhoIs did not willingly agreed to make it a matter of public record. They provided the information to their domain registrar as a condition of getting the domain name.

      You’re stretching the definition of “willingly” beyond the breaking point.

      1. Another guy

        Willingly provided the info?

        Sure. At least as willing as when you “agree” to a shrinkwrap license, or to a clickthru TOS on a website. If those things can be taken as legal consent, how is this different? Me, I think that the only agreements considered binding should be those negotiated and actually signed by human representatives of the parties, but that seems to be a minority view. Probably even in the EU.

      2. SkunkWerks

        “You’re stretching the definition of “willingly” beyond the breaking point.”

        Dear US Postal Service,

        I would like to register for a P.O. Box, but do not wish to provide a record of the mailing address where I actually reside.

        I’m sure you can understand and see your way clear to granting my not-at-all ridiculous request.

        (If not “willingly”, how about “impractical”?)

    3. Jan Peeters

      This is not correct. You have to accept the t&c, otherwise you can’t register a domain name.
      So it’s unilateral, enforced …
      Please read the GDPR.

  9. Gary

    Typical email servers block spam based on RBLs (reputation blocking lists). I don’t see DNS records making much of a difference regarding if you get on a RBL or not.
    Besides RBLs, I require SPF or DKIM pass, and a reverse pointer exist.
    There are a few more tricks, but basically the only spam that gets past this screening comes from real email services like yahoo, Gmail, etc. Here DNS isn’t an issue.
    Perhaps more spam will be sent due to the new privacy rules, but I’m not convinced more spam will get through.

    1. BrianKrebs Post author

      I think we’re probably going to see some reputation-based security and anti-abuse systems struggling because of this. If/when that happens, it will result in a great deal more spam getting through.

    2. SeymourB

      Actually RBL stands for Realtime Blackhole List, and it may make getting onto or off those lists harder, depending on who’s maintaining the RBL and how much checking they do before putting someone on it or after someone’s been put on it. It’s customary to send an email to the administrator of the domain when putting them on an RBL so that they’re aware of your actions and what steps they need to take to get off it.

      At my last job the marketing department was intentionally ignorant of the differences between opt-in and opt-out systems (basically they didn’t know how to implement an opt-in system and as a consequence refused to admit that it was even possible) and were forever getting the company onto RBLs. And of course when the CEO can’t send email the marketing department isn’t going to be the one she blames for the trouble.

    3. Rob McEwen

      The PTR of the IP address is a host name, ending in a domain name… and OFTEN… attributes/reputation of THAT domain name is a large factor in calculating the reputation of the IP address. This can be a factor in automated anti-spam systems, automated RBLs (aka DNBSLs). And it is also a factor in manual auditing and manual processing of delist requests for RBLs (and other auditing by spam filtering vendors). In those manual reviews, a review of the WHOIS record for the domain in the PTR record is common. Plus, other DNSBLs are domain-based and of course they factor in WHOIS information at various points, too. (even if just for auditing/reviewing)

    1. Fin-man

      Actually such a “cucumber law” (they are called directives in the EU) never existed. There are different quality classes for cucumbers (length, straightness…) as there is for all food.

  10. MikeOh Shark

    Let’s just mark all email from the EU as spam and be done with their Eurocrat imperialism.

  11. J. Tate

    Great thing we saw this coming. Our EU office is a GDPR DPO and we have been a secure registrar for years…bring it on!!!

  12. CPC

    I (for one) welcome the proposed change.

    I get large amounts of spam every time I create a new website, because I refuse to pay for identity-hiding services. Privacy should be the default, not an extra that you need to pay for.

    1. Nick

      “Privacy should be the default, not an extra that you need to pay for.” When it comes to internet domains, you’re wrong on both counts.

      ICANN (or whoever it was before them) screwed this up royally when they allowed countries other than the US to run their own ccTLD registrars, AND did so without requiring application of the US’ generally appalling attitudes to privacy and without requiring full WHOIS compliance. The base security model of today’s internet is actually that of a closed, military communications system. As such systems only contain nodes that are allowed to be there, and those nodes are run and used by “responsible” people, the threat posed by malicious actors was considered very minor — in fact, so much so, that this was not even considered in the underlying security model (it went without saying that only “acceptable” systems exhibiting “acceptable” behaviour would be present on the network). The enforcement model was that, in the very unlikely event of something going wrong with these assumptions, a system admin whose computer was being “attacked” by another computer would phone the admin of the attacking system and ask them to have whoever it was quit what they were doing. If that didn’t work, the attacked system’s admin would have their commanding officer call the other systems’ admin’s commanding officer, and the abuse would stop pretty darn promptly.

      The threat model for an open, public internet based on the same technology is, of course, much different (== much, much worse). How does such a public internet possibly manage network-infrastructure-level abuse remediation? Well, until now, a large part of that has revolved around the fact that it is a public network and part of the price of entry is you are required to publicize some responsible contact details to get a presence (in the form of a domain name) in that network.

      As I said above, ICANN (IETF, ????, etc, etc) already partially screwed this up by not actually caring about such issues enough (too many peace-and-love, “don’t trust the government” hippy types involved) when devolving responsibility for ccTLDs to entities more under the control of the laws of countries other than the US, and now, far-reaching additional non-US laws put what we have left of this “control” mechanism even further down the drain…

  13. dmarc

    Another good resource bites the dust thanks to some EU lawyers and politicians unintended consequences. For 10+ years I’ve used that as a source to authenticate information on B2B applications and help protect businesses from identity theft/fraud. It was already getting less useful with the recent privacy masking, now it becomes a wall.

    1. Derek

      Security, privacy and due diligence in the right combination is needed for healthy internet ecosystem. We are now removing security at the cost of due diligence (consumers also do due diligence) which will undermine privacy for all. This is a case of solving a small problem in the incorrect way, resulting in a bigger problem.

  14. Derek

    The biggest problem is that many registrars have been willing to ignore ICANN requirements without fear for market share, allowing WHOIS data that does not even pass the most basic of scrutiny onto the net from where it’s used for all type of malicious activities, many a time allowing such abusers to use their proxy services. Yet they do not wish to check when alerted and will never accept responsibility for this. In turn this has undermined the legitimate internet. Scams, spams, BEC, phishing … all part of the same underlying problem. It is now also in the hands of these known registrars that consumer trust will be placed, undermining the very essence of the GDPR.

  15. Lionel

    “On May 25, the General Data Protection Regulation (GDPR) takes effect. The law, enacted by the European Parliament, requires companies to get affirmative consent for any personal information they collect on people within the European Union.”

    WRONG. this applies only to SENSITIVE PIIs such as sexual orientation, health data, or biometry.

    All the rest is irrelevant.

    1. BrianKrebs Post author

      Oh, I see. So all of this fuss over WHOIS is much ado about nothing? Probably should tell the registrar community and ICANN then, they’ll be so relieved.

      1. Hayton

        Brian, you’re diligent and thorough so you already know all of this. But for the benefit of your readers, here is the official EUGDPR website :
        https://www.eugdpr.org/eugdpr.org.html

        They may need to lie down in a darkened room after wading through it all. Or go to the Wikipedia page, which seems to cover most of it pretty well –
        https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

        There are a number of places offering checklists. Here’s one.
        https://www.macroberts.com/icos-12-steps-checklist-how-to-prepare-for-eu-data-protection-reforms/

        But after looking at all of these (and more) it’s still not clear whether personal data now available on WHOIS could be exempted. Good luck to ICANN in trying to come to some arrangement before year’s end.

  16. BA Maddalena

    I have been getting this more & more the last few months, (allegedly) my email isnt ” valid” , when it is valid!, Can Malware/ virus/ spam/ spyware, etc, do that to my email? Thank you, Barbara

  17. Rob McEwen

    Brian,

    I have discovered an abuse issue caused by the negligence of an extremely large/famous Internet company that is directly harming spam filters in a way that reminds me of this article. (but possibly worse!) I have contacted them and provided them with detailed evidence of that abuse, and I’m very disappointed about their “Oh well, that is just the way it is” response. I think you’d be shocked too if you saw the details. I don’t want to escalate this just yet to a Brian Krebs article… as I’m trying to give them a chance to see the light first. I sent you a little bit of information about this via LinkedIn messages (we’re 1st connections on LinkedIn). Please review those LinkedIn messages and then drop me a line about this (phone or email) and I’ll send you some more information. I have an Excel spreadsheet with data and stats that is impeccable “forensic-level” evidence and quite disturbing!

    Rob McEwen, CEO of invaluement.com

      1. Rob McEwen

        Paul,

        It wasn’t a registrar, and it was a much larger and much more famous company. I don’t want to give any further hints at this time.

        Rob McEwen, CEO of invaluement com

    1. John Clark

      I bet its DreamHost.com. I have been following an identity thief that creates fake staffing companies. I have warned DreamHost abuse staff and they don’t seem to care. Its really disgusting since they are a company based in the Bria California. I gave them all my evidence that they are providing services to a criminal and they hide behind the technicality of not being a “Tier of Truth.” Other hosting companies that I warned shut down the scammer’s web site.
      https://fakestaffing.blogspot.com

      1. Rob McEwen

        John,

        That is very interesting to know about dreamhost. But the particular abusive situation I’m talking about is, again, a much larger and much famous company.

  18. Andrew Smith

    GDPR has been in the planning stages for years with warnings about how PII data will potentially be affected being sent out regularly for the past 2 years, and ICANN are only now waking up to the fact they need to do something ?

    Surely, someone like the CAB Forum or even Google / Mozilla, should have seen this coming and put pressure on ICANN to get their act together, especially in light of the recent situation with Symantec SSL/TLS certs ?

    This could potentially make the SSL/TLS cert verification process a lot more difficult and, almost certainly, a lot longer to complete.

  19. John Clark

    For the past three years I have been tracking a identity thief that has built a series of web sites that look like contract job recruitment companies. He sends his targets emails from his registered domains that are hosted by US based companies. He tells his targets that he has a job in their field and geographic area (I think he finds his targets on linkedIn or other similar job boards).

    He convinces them to go through a phone interview. At the end he says he needs their SSNs and DOBs to submit to the client company. I was a target but did not go through with the interview after I found a bunch of stories using a google search of the phone number he uses. The stories were posted on 800notes.com.

    Because I was not working I started digging on ICANN WHOIS web site and found many of the sites were listed by the same gmail address. I continued digging and found cross listed sites and he has created over 51 sites that I can attribute to him. I informed others on this blog over the past three years.

    Since ICANN WHOIS often posts the hosting company in their records I have sent warning about the scammer to the host company email addresses. Some have responded by taking down a few of his sites. One that he uses the most, responded that they are not a “Tier of Truth” and will leave his sites up. I reported my findings to the FBI but never got a response.

    I think the scammer used pre-paid credit cards to buy the domains for a year and the really old ones have expired on the list.

    I built a free Blogger site posting details and links to all of my findings. Every once in a while a newly targeted individual will search, find my site and post their experiences. These are the smarter targets, so I don’t have stories of targets that have been successfully victimized.

    With what Bryan has just posted I know that I will not be able to continue to track this scammer and warn others. It really is disappointing that criminals will be able to hide behind another layer of anonimity.

    The blogger site I built with the full list of domains that I have traced to him is at the end of this posting. The blogger site has no advertising and I am not getting any financial payback.
    https://fakestaffing.blogspot.com

  20. John Clark

    Sorry about the “Bryan”. I have a friend that spells it that way and my computer autocorrects it to that.

  21. SkunkWerks

    I still say the GDPR’s drafters are fundamentally ignorant of how the internet works, and that this is pretty much a classic example of the Road to Hell being paved with only the best of intentions.

    Something-something the internet is not a big truck something-something…

  22. Mischa Obrecht

    I’m not a lawyer but merely a humble EU-adjacent security consultant (the *.ch is not for China) who has been studying the GDPR extensively during the last couple of weeks.

    I see things as follows:
    – The GDPR applies to ALL PII, ranging from names and locations to genetic and biometric data (cf. article 4 (1)). There is however a distinction between “normal” PII and the so called special categories of personal data including the sensitive information about sexual or political preferences mentioned above (the definition is given in article 9 of the regulation). So I would conclude, that the information available in the WHOIS records should be considered “personal data” according to article 4 but should not be considered part of a special categoriy of personal data as described in article 9.

    – Processing of personal data is considered lawful by GDPR regulation article 6 if one or several conditions are met, only ONE OF WHICH is the consent of the respective person. There are others. For instance the processing of personal data “for the performance of a task carried out in the public interest […]” (article 6 (e)) or “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party […]” (article 6 (f)), both of which in my opinion legitimize the use of personal data in WHOIS-records.

  23. Corey

    ICANN is just one of the issues. In reality, the E.U. is arbitrarily throwing the vast majority of websites into a pool of illegality. Then, like fish in a barrel, they will fire at everyone… one-by-one. Profiting from it all the way, and wiping out entrepreneurship in the process.

    Yet, somehow their magic math says this is going to increase the e-economy dramatically.

    For the biggest players this might be true, but for people with regular websites this is going to be devastating.

    With regards to spammers, I’m trying to figure out how scripts like MagicSpam will be usable. The same goes with many server side scripts that identify IP’s for various reasons. There is no way to get consent ahead of time for tracking.

    cPanel statics, and all WordPress statistics programs would also seem about to become in violation of GDPR.

    Then, there’s the god awful cookie banners. Don’t even get me started with those. We are training people to reflexively click on those stupid cookie banners. If I were a hacker that would be the very first thing I would use to get them to install malicious scripts, etc.

    What really kills me is that ALL of this could be avoided on the user end. Disabling cookies on the browser and using a VPN, then be careful about the data you submit. But no. The E.U. believes people are too stupid to do that, but smart enough to understand what each cookie on a website does.

    Ironically, this is going to benefit the very same monopolistic companies that have been so problematic. Google, Facebook, etc.. Something that I’m sure isn’t lost on these fatheaded politicians and their financial portfolios.

    This is the definition of insanity.

  24. Doug Fodeman

    The WHOIS tool is one of the most valuable tools I have for detecting online fraud and malicious intent. I just used it to identify 20 fraudulent websites created to look like businesses selling new or used laptops (Visit: http://www.thedailyscam.com/would-you-buy-a-computer-from-them/ )

    I often wonder if ICANN is complicit with Internet criminal activity because they make money from the tens of thousands of fraudulent domains purchased by criminals. They make it so darn easy for criminals to operate. ICANN completely ignores their stated responsibility to “preserve and enhance… security” (Taken from ICANN’s Mission statement Core Value [a]: “Preserve and enhance… security.”) I cannot find any evidence anywhere on the ICANN website, or in their actions, that demonstrates any effort to improve security and make it harder for criminals to operate against us. ICANN’s inability to police the Registrar industry that they have created and license is shameful. Criminal gangs misuse the domain name system at will and ICANN does nothing. Limiting the information we can find using a WHOIS tool primarily helps criminals and makes our work to expose them that much harder.
    Doug Fodeman
    The Daily Scam

Comments are closed.