27
Apr 18

Security Trade-Offs in the New EU Privacy Law

On two occasions this past year I’ve published stories here warning about the prospect that new European privacy regulations could result in more spams and scams ending up in your inbox. This post explains in a question and answer format some of the reasoning that went into that prediction, and responds to many of the criticisms leveled against it.

Before we get to the Q&A, a bit of background is in order. On May 25, 2018 the General Data Protection Regulation (GDPR) takes effect. The law, enacted by the European Parliament, requires companies to get affirmative consent for any personal information they collect on people within the European Union. Organizations that violate the GDPR could face fines of up to four percent of global annual revenues.

In response, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit entity that manages the global domain name system — has proposed redacting key bits of personal data from WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges (IP addresses).

Under current ICANN rules, domain name registrars should collect and display a variety of data points when someone performs a WHOIS lookup on a given domain, such as the registrant’s name, address, email address and phone number. Most registrars offer a privacy protection service that shields this information from public WHOIS lookups; some registrars charge a nominal fee for this service, while others offer it for free.

But in a bid to help registrars comply with the GDPR, ICANN is moving forward on a plan to remove critical data elements from all public WHOIS records. Under the new system, registrars would collect all the same data points about their customers, yet limit how much of that information is made available via public WHOIS lookups.

The data to be redacted includes the name of the person who registered the domain, as well as their phone number, physical address and email address. The new rules would apply to all domain name registrars globally.

ICANN has proposed creating an “accreditation system” that would vet access to personal data in WHOIS records for several groups, including journalists, security researchers, and law enforcement officials, as well as intellectual property rights holders who routinely use WHOIS records to combat piracy and trademark abuse.

But at an ICANN meeting in San Juan, Puerto Rico last month, ICANN representatives conceded that a proposal for how such a vetting system might work probably would not be ready until December 2018. Assuming ICANN meets that deadline, it could be many months after that before the hundreds of domain registrars around the world take steps to adopt the new measures.

In a series of posts on Twitter, I predicted that the WHOIS changes coming with GDPR will likely result in a noticeable increase in cybercrime — particularly in the form of phishing and other types of spam. In response to those tweets, several authors on Wednesday published an article for Georgia Tech’s Internet Governance Project titled, “WHOIS afraid of the dark? Truth or illusion, let’s know the difference when it comes to WHOIS.”

The following Q&A is intended to address many of the more misleading claims and assertions made in that article.

Cyber criminals don’t use their real information in WHOIS registrations, so what’s the big deal if the data currently available in WHOIS records is no longer in the public domain after May 25?

I can point to dozens of stories printed here — and probably hundreds elsewhere — that clearly demonstrate otherwise. Whether or not cyber crooks do provide their real information is beside the point. ANY information they provide — and especially information that they re-use across multiple domains and cybercrime campaigns — is invaluable to both grouping cybercriminal operations and in ultimately identifying who’s responsible for these activities.

To understand why data reuse in WHOIS records is so common among crooks, put yourself in the shoes of your average scammer or spammer — someone who has to register dozens or even hundreds or thousands of domains a week to ply their trade. Are you going to create hundreds or thousands of email addresses and fabricate as many personal details to make your WHOIS listings that much harder for researchers to track? The answer is that those who take this extraordinary step are by far and away the exception rather than the rule. Most simply reuse the same email address and phony address/phone/contact information across many domains as long as it remains profitable for them to do so.

This pattern of WHOIS data reuse doesn’t just extend across a few weeks or months. Very often, if a spammer, phisher or scammer can get away with re-using the same WHOIS details over many years without any deleterious effects to their operations, they will happily do so. Why they may do this is their own business, but nevertheless it makes WHOIS an incredibly powerful tool for tracking threat actors across multiple networks, registrars and Internet epochs.

All domain registrars offer free or a-la-carte privacy protection services that mask the personal information provided by the domain registrant. Most cybercriminals — unless they are dumb or lazy — are already taking advantage of these anyway, so it’s not clear why masking domain registration for everyone is going to change the status quo by much. 

It is true that some domain registrants do take advantage of WHOIS privacy services, but based on countless investigations I have conducted using WHOIS to uncover cybercrime businesses and operators, I’d wager that cybercrooks more often do not use these services. Not infrequently, when they do use WHOIS privacy options there are still gaps in coverage at some point in the domain’s history (such as when a registrant switches hosting providers) which are indexed by historic WHOIS records and that offer a brief window of visibility into the details behind the registration.

This is demonstrably true even for organized cybercrime groups and for nation state actors, and these are arguably some of the most sophisticated and savvy cybercriminals out there.

It’s worth adding that if so many cybercrooks seem nonchalant about adopting WHOIS privacy services it may well be because they reside in countries where the rule of law is not well-established, or their host country doesn’t particularly discourage their activities so long as they’re not violating the golden rule — namely, targeting people in their own backyard. And so they may not particularly care about covering their tracks. Or in other cases they do care, but nevertheless make mistakes or get sloppy at some point, as most cybercriminals do.

The GDPR does not apply to businesses — only to individuals — so there is no reason researchers or anyone else should be unable to find domain registration details for organizations and companies in the WHOIS database after May 25, right?

It is true that the European privacy regulations as they relate to WHOIS records do not apply to businesses registering domain names. However, the domain registrar industry — which operates on razor-thin profit margins and which has long sought to be free from any WHOIS requirements or accountability whatsoever — won’t exactly be tripping over themselves to add more complexity to their WHOIS efforts just to make a distinction between businesses and individuals.

As a result, registrars simply won’t make that distinction because there is no mandate that they must. They’ll just adopt the same WHOIS data collection and display polices across the board, regardless of whether the WHOIS details for a given domain suggest that the registrant is a business or an individual.

But the GDPR only applies to data collected about people in Europe, so why should this impact WHOIS registration details collected on people who are outside of Europe?

Again, domain registrars are the ones collecting WHOIS data, and they are most unlikely to develop WHOIS record collection and dissemination policies that seek to differentiate between entities covered by GDPR and those that may not be. Such an attempt would be fraught with legal and monetary complications that they simply will not take on voluntarily.

What’s more, the domain registrar community tends to view the public display of WHOIS data as a nuisance and a cost center. They have mainly only allowed public access to WHOIS data because ICANN’s contracts state that they should. So, from registrar community’s point of view, the less information they must make available to the public, the better.

Like it or not, the job of tracking down and bringing cybercriminals to justice falls to law enforcement agencies — not security researchers. Law enforcement agencies will still have unfettered access to full WHOIS records.

As it relates to inter-state crimes (i.e, the bulk of all Internet abuse), law enforcement — at least in the United States — is divided into two main components: The investigative side (i.e., the FBI and Secret Service) and the prosecutorial side (the state and district attorneys who actually initiate court proceedings intended to bring an accused person to justice).

Much of the legwork done to provide the evidence needed to convince prosecutors that there is even a case worth prosecuting is performed by security researchers. The reasons why this is true are too numerous to delve into here, but the safe answer is that law enforcement investigators typically are more motivated to focus on crimes for which they can readily envision someone getting prosecuted — and because very often their plate is full with far more pressing, immediate and local (physical) crimes.

Admittedly, this is a bit of a blanket statement because in many cases local, state and federal law enforcement agencies will do this often tedious legwork of cybercrime investigations on their own — provided it involves or impacts someone in their jurisdiction. But due in large part to these jurisdictional issues, politics and the need to build prosecutions around a specific locality when it comes to cybercrime cases, very often law enforcement agencies tend to miss the forest for the trees.

Who cares if security researchers will lose access to WHOIS data, anyway? To borrow an assertion from the Internet Governance article, “maybe it’s high time for security researchers and businesses that harvest personal information from WHOIS on an industrial scale to refine and remodel their research methods and business models.”

This is an alluring argument. After all, the technology and security industries claim to be based on innovation. But consider carefully how anti-virus, anti-spam or firewall technologies currently work. The unfortunate reality is that these technologies are still mostly powered by humans, and those humans rely heavily on access to key details about domain reputation and ownership history.

Those metrics for reputation weigh a host of different qualities, but a huge component of that reputation score is determining whether a given domain or Internet address has been connected to any other previous scams, spams, attacks or other badness. We can argue about whether this is the best way to measure reputation, but it doesn’t change the prospect that many of these technologies will in all likelihood perform less effectively after WHOIS records start being heavily redacted.

Don’t advances in artificial intelligence and machine learning obviate the need for researchers to have access to WHOIS data?

This sounds like a nice idea, but again it is far removed from current practice. Ask anyone who regularly uses WHOIS data to determine reputation or to track and block malicious online threats and I’ll wager you will find the answer is that these analyses are still mostly based on manual lookups and often thankless legwork. Perhaps such trendy technological buzzwords will indeed describe the standard practice of the security industry at some point in the future, but in my experience this does not accurately depict the reality today.

Okay, but Internet addresses are pretty useful tools for determining reputation. The sharing of IP addresses tied to cybercriminal operations isn’t going to be impacted by the GDPR, is it? 

That depends on the organization doing the sharing. I’ve encountered at least two cases in the past few months wherein European-based security firms have been reluctant to share Internet address information at all in response to the GDPR — based on a perceived (if not overly legalistic) interpretation that somehow this information also might be considered personally identifying data. This reluctance to share such information out of a concern that doing so might land the sharer in legal hot water can indeed have a chilling effect on the important sharing of threat intelligence across borders.

According to the Internet Governance article, “If you need to get in touch with a website’s administrator, you will be able to do so in what is a less intrusive manner of achieving this purpose: by using an anonymized email address, or webform, to reach them (The exact implementation will depend on the registry). If this change is inadequate for your ‘private detective’ activities and you require full WHOIS records, including the personal information, then you will need to declare to a domain name registry your specific need for and use of this personal information. Nominet, for instance, has said that interested parties may request the full WHOIS record (including historical data) for a specific domain and get a response within one business day for no charge.”

I’m sure this will go over tremendously with both the hacked sites used to host phishing and/or malware download pages, as well as those phished by or served with malware in the added time it will take to relay and approve said requests.

According to a Q3 2017 study (PDF) by security firm Webroot, the average lifespan of a phishing site is between four and eight hours. How is waiting 24 hours before being able to determine who owns the offending domain going to be helpful to either the hacked site or its victims? It also doesn’t seem likely that many other registrars will volunteer for this 24-hour turnaround duty — and indeed no others have publicly demonstrated any willingness to take on this added cost and hassle.

I’ve heard that ICANN is pushing for a delay in the GDPR as it relates to WHOIS records, to give the registrar community time to come up with an accreditation system that would grant vetted researchers access to WHOIS records. Why isn’t that a good middle ground?

It might be if ICANN hadn’t dragged its heels in taking GDPR seriously until perhaps the past few months. As it stands, the experts I’ve interviewed see little prospect for such a system being ironed out or in gaining necessary traction among the registrar community to accomplish this anytime soon. And most experts I’ve interviewed predict it is likely that the Internet community will still be debating about how to create such an accreditation system a year from now.

Hence, it’s not likely that WHOIS records will continue to be anywhere near as useful to researchers in a month or so than they were previously. And this reality will continue for many months to come — if indeed some kind of vetted WHOIS access system is ever envisioned and put into place.

After I registered a domain name using my real email address, I noticed that address started receiving more spam emails. Won’t hiding email addresses in WHOIS records reduce the overall amount of spam I can expect when registering a domain under my real email address?

That depends on whether you believe any of the responses to the bolded questions above. Will that address be spammed by people who try to lure you into paying them to register variations on that domain, or to entice you into purchasing low-cost Web hosting services from some random or shady company? Probably. That’s exactly what happens to almost anyone who registers a domain name that is publicly indexed in WHOIS records.

The real question is whether redacting all email addresses from WHOIS will result in overall more bad stuff entering your inbox and littering the Web, thanks to reputation-based anti-spam and anti-abuse systems failing to work as well as they did before GDPR kicks in.

It’s worth noting that ICANN created a working group to study this exact issue, which noted that “the appearance of email addresses in response to WHOIS queries is indeed a contributor to the receipt of spam, albeit just one of many.” However, the report concluded that “the Committee members involved in the WHOIS study do not believe that the WHOIS service is the dominant source of spam.”

Do you have something against people not getting spammed, or against better privacy in general? 

To the contrary, I have worked the majority of my professional career to expose those who are doing the spamming and scamming. And I can say without hesitation that an overwhelming percentage of that research has been possible thanks to data included in public WHOIS registration records.

Is the current WHOIS system outdated, antiquated and in need of an update? Perhaps. But scrapping the current system without establishing anything in between while laboring under the largely untested belief that in doing so we will achieve some kind of privacy utopia seems myopic.

If opponents of the current WHOIS system are being intellectually honest, they will make the following argument and stick to it: By restricting access to information currently available in the WHOIS system, whatever losses or negative consequences on security we may suffer as a result will be worth the cost in terms of added privacy. That’s an argument I can respect, if not agree with.

But for the most part that’s not the refrain I’m hearing. Instead, what this camp seems to be saying is if you’re not on board with the WHOIS changes that will be brought about by the GDPR, then there must be something wrong with you, and in any case here a bunch of thinly-sourced reasons why the coming changes might not be that bad.

Tags: , , , , ,

57 comments

  1. The Sunshine State

    That’s what we all need, more spam on a daily basis.

  2. Unlike the ICANN person and I don’t play one on TV. However …. my reading of GDPR Article 6 indicates that it provides plenty of legal cover for the registrars in as many as three instances.

    6(1)(a) says processing (their term for collecting, storing, and making available) is lawful if the data subject has “given consent.” Since applicants volunteer their information in exchange for getting an IP address, consent has been established.

    6(1)(b) says processing is lawful if it is “necessary for the performance of a contract.” If I pay money to a registrar and receive an IP address as a result, we have a contract.

    So the right to collect and process information seems to be OK. What about publishing it?

    6(1)(f) says that processing is lawful “for the purposes of legitimate interests pursued by the controller or a third party” except if the “rights and freedoms of the data subject” take precedence — “in particular where the data subject is a child.” I think that security research and protection of Internet users from all kinds of bad guys would qualify as “legitimate interests.”

    But of course the ICANN lawyers have already been through all this, so they must have some different point of view.

    • Totally agree. I expect it is also in the public interest, so would accept that basis too.

      • A commenter in the Facebook article mentioned “Safe Harbor”. In this article we have the enactors at GDPR and ICANN potentially increasing cybercrime against the “public good”, as in a “likely result in a noticeable increase in cybercrime — particularly in the form of phishing and other types of spam”. Public good has legal standing.

    • That may be true, but from the standpoint of a registrar, its easier and less costly, legally and otherwise, to just not show any info, period end of story. They remain in compliance and dont have to pay lawyers to argue why they made exceptions. No exceptions, no lawyers.

    • Consent is NOT established by a business transaction. I provide my full name and contact information for many transactions, such as buying a car or an on-line purchase. I understand that the transaction includes “collecting” and “storing” my information for the purpose of completing the transaction. That is most certainly NOT consent for “making available” to non-transaction parties.

    • GDPR doesn’t really work that way.

      If consent is the basis for processing, it must be freely given (without coercion) and opt-in (the default agreement must exclude it), if it’s a mandatory term in an agreement, then that’s not GDPR-valid consent. Furthermore, consent can be revoked at any time without detriment to the user, i.e. even if they consented at the point of registering the domain name, they can change their mind at any time including five seconds afterward, without detriment (i.e. without the contract being broken), and if consent is the only reason you had, you must remove their data.

      If necessity for the performance as a contract is the basis for processing, then this refers to “can you actually perform the contract without having that information”, not “was this request for information included in the contract”, and it also limits the permitted use only to the actual performance of the contract. I.e. 6(1)(b) is a valid reason for a webshop to store the customer’s address, since it’s needed to deliver the goods, but it’s not a sufficient reason for the webshop to do anything else with that address. In the registrar case, having your *full* contact info is obviously not needed to execute the contract – they *can* take your money and assign the domain without having that.

      If anything, 6-1f would be the proper way to handle this; but this is a bit tricky – this would be the legal justification in the process described in this article (disclosing information about *some* domains after receiving complaint), but one of the overriding principles is 5-1c: data processing shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);” the pursuit of spammers may justify disclosing information, but this should be minimized; one can justify that it’s necessary to disclose *their* information but that’s not justification to disclose *my* information (assuming there’s no specific cause) and certainly not indiscriminately disclosing *everyone’s* information, that clearly wouldn’t be the minimal necessary amount of data.

    • FWIW, domain registration doesn’t give you an IP address.

      It just gives you the ability to populate information for a domain name.

      Where to start…
      IP Addresses are assigned by IANA [1] — Internet Assigned Numbers Authority. IP Addresses are split into blocks and allocated to Regional Internet Registries [2], the one you probably deal with is American Registry for Internet Numbers [3]. RIRs assign blocks to companies/organizations, historically this was governments, military, universities, and Hosting providers/ISPs. These days, if you’re getting an IP, it’s probably from a hosting provider/ISP.

      IP addresses are awkward things. Sure, 1.1.1.1, 4.4.4.4, 8.8.8.8, 9.9.9.9 are easy to remember. But, what about 130.211.45.45?*

      Second, while we’re working on exhausting IP addresses [4], there are way more domains than IP addresses, and it’s helpful for a computer to be able to respond to more than one domain. e.g. Google Search [5] + Google Images [6].

      In order to allow humans (and computers) to not spend too much time memorizing IP addresses, an additional layer is built on top of IP addresses: DNS [7].

      * FWIW, this was the IP address that my computer returned for krebsonsecurity.com, but, it’s just one of many in Google’s Project Shield [8], another example of multiple domains mapping to a single computer (and in fact, a domain mapping to multiple computers — most likely if you did a lookup, you’d get a different IP address).

      There are other reasons to not be tied to IP addresses, one is resiliency, as w/ the Project Shield, if one IP address goes down, and a domain name points to more than one, then users can still access a site, whereas, if everything was configured by IP address, and the IP address went down, then you’re out of luck, and you’d have to update all pointers to the new IP address by hand when you picked one….

      At the root of DNS are a family of computers including a.root-servers.net.

      For someone trying to add a domain name to DNS, there are a number of steps:
      1. Picking a TLD [9] (do you want something-something-something.com, or something-something-something.su?)
      2. Finding a registrar (GoDaddy? NameCheap? …)
      3. Asking the registrar [10] for a domain name
      4. In the asking, you fill out basic information (the domain name), billing information, term, and contact information, along with general account information.
      5. This gives you ownership of a domain (subject to the terms and conditions of the TLD/registrar).

      Domain registration is managed by Internet Corporation for Assigned Names and Numbers (ICANN) [11]. ICANN and IANA are effectively siblings, they work together to help establish the basics of the Internet. One possible way the Internet could have been established was with the functions of IANA and ICANN owned, operated, and controlled by the US Government (since it helped set up the basics of the Internet). Thankfully, the US Government didn’t do that, IANA/ICANN were chartered and given significant leeway to avoid leaving them entirely at the whims of the US government.

      Anyway, ICANN set up general rules for a WHOIS [12] database (the precise behavior of whois actually varies by TLD).

      ICANN also delegates out control for each TLD to a different entity, some (like com/net/org) are part of the US block, many are ccTLDs [14] and essentially delegated to each country (.su is special…). The TLD sets up its own rules (subject to ICANN’s…) and picks one or more registrars (it can be its own if it chooses…).

      Once you have an account registered w/ your registrar for a domain, you fill out a set of DNS servers (these are entered in the WHOIS database). Essentially, in buying the domain, you’re arranging for the registrar to set up ownership of the domain with the TLD’s DNS system, so that queries for it will be mapped according to your wishes.

      When initial lookups are done for the root of your domain, some magic is done in order to return a dns server [14] address based on the information provided to the registrar (and mirrored in whois).

      From there, queries then go to the dns server which allows you to map a hostname to an IP addresses.

      There’s a lot of caching involved, and a number of layers that I’m glossing over (BGP and Anycast come to mind — Brian has written about BGP hijacking, as well as IP address hijacking…).

      Technically, your DNS server will also list the DNS servers that answer for your domain, but someone looking your domain up initially can’t use that information, because that’s a catch-22 — they need to find your DNS server first in order to know to ask *it* for the list.

      Point being: Buying a domain doesn’t get you an IP address, it just gets you permission to offer a resolver for a name which could, perhaps, point to an IP address. (And often, registrars will offer to manage the DNS server for you.)

      It’s actually possible to buy a domain name never set up any IP addresses. One could for instance only set up some TXT records (e.g. SPF, perhaps saying “no one is allowed to send mail from this domain”), or to set up a domain which just resolves to another domain (e.g. a typo for one politician which resolves to the hostname (but not IP!) of a competing politician).

      [1] https://www.iana.org/
      [2] https://en.wikipedia.org/wiki/Regional_Internet_registry
      [3] https://www.arin.net/
      [4] https://en.wikipedia.org/wiki/IPv4_address_exhaustion
      [5] https://www.google.com
      [6] https://images.google.com
      [7] https://en.wikipedia.org/wiki/Domain_Name_System
      [8] https://projectshield.withgoogle.com/public/
      [9] https://en.wikipedia.org/wiki/Top-level_domain
      [10] https://en.wikipedia.org/wiki/Domain_name_registrar
      [11] https://www.icann.org/
      [12] https://en.wikipedia.org/wiki/Whois
      [13] https://en.wikipedia.org/wiki/Country_code_top-level_domain
      [14] https://en.wikipedia.org/wiki/Name_server

    • By my reading, the GDPR requires that unless the data collection is necessary for the process to be performed, it must be optional. You don’t NEED to get someone’s registrant information to provision them a WHOIS record, ergo they can’t legally require that people give it.

  3. I wonder if psuedo-anonymity might be acceptable under GDPR? With psuedo-anonymity, each individual/email address would be identifiable with a randomly generated something (e.g. hash, etc.) that would be unique to that same email address or registrant. No one could use that information to identify the person individually, but would be able to tell how many domains the same psuedo-anonymous entity registered and what they were affiliated with. And in the legal cases where the pseudo-anonymity needs to be removed for an investigation, it can be done for just those legal entities. I’m not sure a unique pseudo-anonymous string is anymore legal under GDPR than the actual registration information, but if implemented, could allow researchers to at least confirm an identity was or wasn’t associated with one or more registrations.

    • Max Pritchard

      The EU GDPR has a lot to say about pseudonymisation. As a process it is not enough in and of itself to meet the regulation’s requirements, but it is seen as an important factor and, alongside data minimisation, storage and process limitations, an essential step in reducing risk and helping controllers meet their obligations.

      It does not preclude or rule out the requirement for other organisational or technological features to address security and data subject access rights, however.

      Mentions: recitals 26, 28, 29, 75, 78, 85, 156
      Article 3 para 5, Article 6 para 4(e), Article 25 para 1, Article 32 para 1(a), Article 40 para 2(d), Article 89 para 1

  4. Would it be possible for WHOIS hash the values they want to hide. Thus allowing researchers to look for patterns without actually seeing the private data?

  5. Just a tangent. It would be nice if every person received the benefit of “domain privacy protection” without getting an extra charge each year of $5-$15usd per domain. So there is that upside.

  6. I for one welcome the rule change. As a website owner, I’m tired of getting spam addressed to my website’s WHOIS email address, and I don’t want to pay for name obfuscation.

    And don’t get me started on less-savvy folks getting scammed by fake domain renewal emails sent to the address they gave when they created a website for their small business.

  7. William Kellermann

    There are five legal basis for processing, in addition to consent. This is not a GDPR issue, it is a business and process issue for ICANN and registrars. They’ve had since April 27, 2016 to get this done.

    Security researchers and other non-LEO investigators have a much bigger privacy issue with the GDPR anyways. If you collect data elements that ultimately point to and identify a natural person who is an EU citizen, those data points are now PII and subject to the GDPR as well.

    Last, this is not a new problem. IP and email addresses were PII under the 95 Directive. It’s just that now enforcement has teeth.

  8. Bjarne D Mathiesen

    Europe fires back at ICANN’s delusional plan to overhaul Whois for GDPR by next, er, year

    http://www.theregister.co.uk/2018/04/27/europe_icann_whois_gdpr/

  9. Marco Gioanola

    While I concur with Krebs’ points, my problem with this debate is that it seems like it’s all the GDPR’s fault. “Oh because of Europe’s data protection law we won’t be able to go after spammers!”. No. It’s ICANN’s fault. It’s their inability to come up with a way to comply to GDPR. This should be a campaign against ICANN. Stop stressing that the GDPR caused this and the GDPR caused that. ICANN, like everybody else, had *years* to get their act together, and if damage will be done it’s because of their laziness alone. GDPR is law, and nobody should suggest that we might bend the law because of ICANN’s laziness.

    • The campaign should be to exclude Germany from participating with the Internet community. Teach them to think before making idiotic laws.

  10. Jakub Narębski

    If the change gets implemented, would we be able to track how it affected amount of spam and scam?

  11. What will change ?? Nothing those who have power remain strong and wealthy anyways.
    Those laws and regulations , made for who ??

    • Laws put into place to protect criminals that have political power.
      Like the Right to be forgotten, so criminals can keep people from knowing they are un-trust worthy.

    • Poor people thinking that economic success only comes to those who are born with money has increased in recent years. I’m not sure where they’re getting this idea since opportunity is still available if you’re willing to work for it. Some folks prefer to blame others for their own lack of success while insisting that they deserve more than what they have.

  12. The correlation activities described in the article only requires a one-way transformation of the private information fields, or a central repository where you ask one object and gets the other correlated objects. It’s very different from showing the need for the actual private information.

  13. I found I was getting SPAM on the email address registered for my web site, and that it was too easy for people to get information that could be used to get a password reset by Apple, among others, with WHOIS. I have a CONTACT ME page that generates an email so people can contact me, but it was the registered email on WHOIS that was a SPAM target. I contacted my provider to get my personal information privatized. I prefer this approach. I try to make myself a smaller target, rather than a bigger one, for SPAM and worse.

  14. “Nominet, for instance, has said that interested parties may request the full WHOIS record (including historical data) for a specific domain and get a response within one business day… [hyperlinked in the article to to the Nominet reference]”

    That’s going from a working, automated WHOIS to a time-delayed WHOIS. I don’t see a major difference in that statement from what already exists besides the delay?

  15. “privacy utopia”? I don’t think anyone expects that. “Better privacy” is what’s expected.

  16. ICANN and domain registrars are getting their panties knotted up for nothing.

    The Internet isn’t simply a private, corporate network. Much of it is funded publicly and overseen by local, national, and international quasi-governmental agencies.

    That makes WHOIS records public information.

    Further, most of the Internet is outside of Germany. The largest stakeholders should simply exclude Germany from the rest of the Internet until they drop their idiotic restrictions.

    • P.S. I’m aware it’s an EU thing, not just Germany. But this was pushed by Germany and the EU is basically an extension of German arrogance and hegemony.

  17. Justarandomeuropean

    My impression is that Brian is just trying to protect his valiable source of lot his investigations (very good ones, indeed).
    It appear also clear the difference of mind of Americans against Europeans like me: for you it is normal that anyone is collecting
    and handling your personal information even without your consent and possibily to make profit on them.
    Think about company like Equifax, or just Facebook itself; I can tell you that most of us shiver just thinking about that.
    I think the point is a different view of the word “freedom”: Americans want to do whatever they like to do respecting the law, europeans meaning of freedom is doing our business without no one looking at us if not needed.
    Pls just respect us and remove that useless stuff 🙂
    PS. Being a penetration tester since 1998 the whois information have been the most valuable source of successful attacks: it helped me finding emails to send trojan, finding secondary and less protected domains and sometimes also not existing emails on free provider so I could hijack the domain just by registering it again.

    • Totally agree. I can understand why Brian is impacted and indeed worried about this change, but I think it summarizes a great difference between the US and Europe.

      In Europe, and contrary to the US, people don’t care about being able to do their own defense. That’s why guns are not allowed and why private investigators are not common. They trust and rely on the police (and government in general) to do it for them.

      Of course Brian are doing good work here, but as an EU citizen, I’ve always been quite disturbed by that public shaming. What if you make a mistake and name the wrong person ? What if you suddenly decide to investigate against certain persons to serve a political agenda ?

      With great power comes great responsibilities and that’s why it’s better left to the police, because they are accountable for their actions and they’re supposed to protect everyone the same way.

      So I’m not sure anybody in EU would view the Q&A answers as valid, because they don’t even value the right to defend themselves.

  18. Dear All, If are worried about outdated Court and agency Forms Forms Workflow can help you! You can minimize the danger of utilizing outdated forms and dispense with rejected fillings now. We are here to help you, Rapidly get to usable Microsoft Word or PDF forms! Reduce errors by taking advantage of a unified database.
    Head over to and start your Free Subscription now…

    • James Beatty

      Such an appropriate post to a topic where spam has been mentioned so frequently…

  19. It’s ironic that Georgia Tech’s Internet Governance Project censors response posters that don’t wish to provide their personal contact details.

    • It did not go unnoticed. Everybody wants a bus stop, until it’s by their front door.

      Also noticed the disingenuous comments made there. Anybody that really understands cyber security and really interested in human rights would run a mile from those.

  20. Finally, finally, we’ll get an official definition of who is an official, government-approved, real serious journalist and who isn’t.
    An official journalist is someone who has access or could easily get it when needed. It’s like a blue check on Twitter or a fancy journalist badge. Without it, you’re a nobody.
    Probably the same journalists who get off-the-record briefings from government officials will make the list. Trouble-making writers from trouble-making publications will encounter some difficulties.
    I’m curious which Chinese, Egyptian, Turkish, Cambodian, Russian, British, or US journalists will receive this official certification and which ones won’t make the grade.
    Governments around the world have been eagerly awaiting this moment. This is just a preview of what’s to come, now that the ICANN is a private corporation, insulated from accountability. The EU has taken a first, but bold step toward a brave new future.
    Let’s raise journalistic standards together! Long live our fearless leaders!

  21. Quantifying reputation for WHOIS domain registrant access to these records apparently mirrors the PRC’s “social credit score” measurement.

    Reputation is a transient, subjective impression that may erode or be restored. Merriam-Webster (https://www.merriam-webster.com/dictionary/reputation) states:
    a : overall quality or character as seen or judged by people in general
    b : recognition by other people of some characteristic or ability
    has the reputation of being clever
    2 : a place in public esteem or regard : good name trying to protect his reputation

    Organizational reputation can be as volatile as any individual’s. Loss of organization’s public trust is quotidian: profit/loss, product-related death/injury, data breach, etc. Reputations oscillate for law enforcement and non-profits too. Criminally inclined domain registrants should be easier to identify, though the due diligence investigation is costly and time-consuming, and sometimes reveals false positives.

    A reputation score, automatically compiled from metadata, will likely possess algorithmic bias and may prove unreliable and capriciously discriminatory. Reliance on machine judgment, like the sentencing guideline systems applied against criminal convictions, is more cost effective but troublesome for jurisprudence. Deployment of it places WHOIS record access decisions into authoritarian practice.

    Exception logic for this software stack must not be eligible for liability indemnification, a common stipulation for any published application stack. A very high standard for this stack must be established, and full corporate accountability established and enforced for the owners and operators to minimize abuse or gamification for profit.

    This entire problem — how to establish trustworthiness as a basis for reputation in an anonymously authenticated Internet ecosystem — is like trying to pick the fly poop out of a pepper pile: A fools errand for the 21st Century.

    Who will guard the guardians of a reputation scoring system? An authoritarian government simplifies this decision — they own it all. Tough luck.

    In a democracy, the government’s executive branch enforces the law and regulations. If bent or abused by political will, without an unimpeachable inspector general and significant independent civilian oversight, accountability is buried.

  22. Great Q&A, Brian.

    One additional complication is that in many cases it’s the registry that’s displaying this data, not the registrar.

    In the case of .com and .net, the registrars display the data under what’s called “thin Whois”.

    In the case of many other domains such as .info, .biz and .uk, it’s the registry in what’s called “thick Whois”. (Nominet is actually a registry, not a registrar.)

    So on .com/.net this is an issue for registrars, but under thick Whois TLDs it’s actually an issue for the registries.

  23. So the GDPR has killed whois as a diagnostic tool. I reckon I will have to get used to it.

    I never forget that politicians and criminals are moral brethren separated only by legal fiction so I am very rarely surprised by legislative pandering.

  24. I think the data protection authorities will not make an exception WHOIS in publishing email addresses. Why would they?

    The GDPR already makes spamming a criminal offense. Even collecting, trading, and possessing email addresses without explicit consent and the ability to be forgotten is a criminal offense, punishable with fines up to 20M euros.

    Solving such criminal operations is generally considered the domain of law enforcement and they can access the original records behind WHOIS using the normal channels.

  25. Cannot say I am required to work with GDPR issues due at the end of the month but I did think an article from Krebs on this issue would be forthcoming. Perhaps singling out social media sites operating in the EU. I thought I would see some sort of agreement with the new mandates aiming toward protecting people’s data and privacy. Guess surprises are in order. You seem to be implying the new regulations may inadvertently make matters worse.

  26. Wow.

    I didn’t expect to see anti-GDPR arguments from you Brian.

    Just another example of the difference between EU/USA with regard to privacy, I guess.

  27. Today is May 1,2018. On May 25, 2018 the General Data Protection Regulation (GDPR) takes effect. It was in public preparation since 2011. Starting to complain a few months before this date is ridiculously late and that makes us all to blame for this situation, not just EU lawmakers or ICANN lawyers.

    What I see is plenty of room from the lawmakers perspective for a decent whois system. However, ICANN has not been responsive, acts very slow, participation by members on this topic is weak and I do not get the impression the decisions are based on solid knowledge and understanding about the GDPR even if any lawyer was involved. As a result ICANN members prefered the easy and cheap route on how to protect ICANN members from possible future legal procedures. Just close the whois as much as possible and hope resulting problems do not occur.

    Some countries already have strict policy regarding disclosure of personal information. Large parts of the world population live in countries with strict privacy rules or where privacy is part of the constitution. Any constitution from a democratic system should be considered very seriously, even if you as an individual do not agree on certain topics.

    Lawmakers are aware of the downside of privacy and thus in stead of fighting constitutions or laws, it is more fruitful to acknowledge differences and options provided by law in an early stage. Non of the parties involved in the design, implementation or use of personal details from whois records showed ready for this or willing to do this. And now, May 1, 2018, we can thank all ICANN members and users for the situation we are in.

    GDPR allows for a whois system with personal information publicly available. For this ICANN members must provide rules that in order to fit a specific purpose certain details are required to be made public in order to being able to participate in the public domain system. A registrant must willing agree, or the domain service can not exist. The definition of public availability can be direct availability of any form of disclosure by registrant in case of complaints regarding abuse etc. Key is porpose and willingly agreement by the registrant.

    It is not uncommon for countries to have laws demanding business contact details must be part of public knowledge for accountability and verification. Details of a private person most likely are protected unless conditions are met. I don’t see any reason this can not be implemented by ICANN members regarding domain registration and whois data availability for the purpose of a safer internet where businesses and individuals are primary accountable for owning a domain or any service part of that domain.

    Any ICANN member is responsible for the downside of this overly protective so called solution for the whois system that most likely will be in place for the next months or even years. Any user of the whois system is to blame for not acknowledging at an early stage the risk of whois data not being available while depending on it. Shame on all ICANN members and shame on us.

    How to go forward? Any user depending on the whois data can contact ICANN members and complain directly regarding this situation and provide solutions. ICANN members are not moving any faster by some public complaints on websites about lawmakers or the ICANN proposals. ICANN members are not in a hurry, ICANN members are not rescheduling over this, ICANN members do not care. Unless it becomes clear to the public what ICANN is doeing here to make securing the internet more difficult while taking good care of ICANN members profits.

  28. You know what else I see in our future (as if increased cybercrime isn’t bad enough)?

    An increase in disinformation campaigns.

    Another business that benefits when it can befuddle folks as to it’s sources.

    Not like that hasn’t been a problem lately though, so… yeah, let’s do this.

    I still maintain that- while well-intentioned- the GDPR as a piece of legislation is just shy one guy obsessing over tubes, trucks and what you can’t just dump on the internet of being fairly laughable as an attempt to improve anything.

  29. @SkunkWerks
    “I still maintain that- while well-intentioned- the GDPR as a piece of legislation is just shy one guy obsessing over tubes, trucks and what you can’t just dump on the internet of being fairly laughable as an attempt to improve anything.”

    Could you please ex-plain to us why you think this multi year effort of many people deeply involved in matters of privacy and attacks on privacy compare to “one guy obsessing over tubes, …”? Or is this just an empty insult?

    Whatever its faults are, the GDPR does have a grasp of communications technology (but less on, e.g., machine learning).

  30. “Or is this just an empty insult?”

    I’ve explained it elsewhere in my comments regarding this and other articles on the GDPR. It’s hinted at here, but if you want me to say it as plainly as possible?

    It’s a set of laws that attempts to regulate a resource that it’s authors don’t seem to comprehend the nature of at any fundamental level.

    I’d be the first to say that it’d be really swell if people could be “forgotten” on the internet when it’s clear that some unfortunate or ugly exposure of one kind or another is pretty clearly causing social or maybe even physical harm to society or individuals.

    I’d also be the first to say that just wishing for- even if it sounds so very “right”- it doesn’t make it so…

    “…the GDPR does have a grasp of communications technology…”

    …nor does it address the actual, pragmatic challenges of making such a thing possible.

    In the case of this WhoIs matter, it apparently also fails to account for the collateral effects of “uncompromising idealism”- even where it seems to contradict the core purpose of the regulation.

    So again, well meant, but seemingly clueless.