A new European data privacy law and official internet policy are about to conflict with each other.
In May, the European Union’s General Data Protection Regulation (GDPR) will officially go into effect. The GDPR is ostensibly a law to protect the privacy of European citizens when it comes to how internet megacorporations like Google and Facebook handle their data. But the privacy regulations also come with some secondary effects whose influence extends far beyond the borders of the EU and ironically may actually serve to undermine the security of internet users, rather than protect them.
Case in point is the fate of WHOIS, a protocol for looking up the names and contact information for people who have registered a website domain name that dates back to the 80s.There are a number of free WHOIS search tools on the internet, and unless the owner of that website has opted to mask their information, anyone can look up the name, address, email and phone number of the registrant. There are also more sophisticated WHOIS tools that operate for a fee.
This protocol is an invaluable resource for security researchers, journalists, and law enforcement officers who use it to track the dissemination of information or malware on the internet. On the other hand, it has historically been treated like a goldmine for spammers and hackers, who are able to scrape the information from WHOIS databases to push junk, dox, or otherwise target registered users. This has led to a proliferation of WHOIS masking services, often provided by domain registrars themselves for a small fee.
The question, then, is whether anyone should be able to use these databases to look up information about the people behind a domain name. In other words, is WHOIS a critical feature for internet security, or a detrimental remnant of the early days of the web?
This is a debate that has been simmering for well over a decade at the Internet Corporation for Assigned Names and Numbers (ICANN), a nonprofit NGO responsible for the fate of WHOIS data. But the implementation of the GDPR later this year has pushed the issue to the forefront of the organization’s agenda.
Last November, ICANN announced that it would not take action against registrars for “noncompliance with contractual obligations related to the handling of registration data.” In other words, even though ICANN would normally take legal action against registrars that didn’t publish WHOIS information as stipulated in their agreement with ICANN, the organization said it wouldn’t pursue legal action against registrars that failed to do this until a new WHOIS data agreement that takes into account the GDPR is created.
In order to qualify for this deferral of action, registrars had to propose their own models for compliance with WHOIS rules. Then on January 12, ICANN issued a document outlining three possible interim solutions for domain registrars that would allow them to comply with both ICANN’s rules and the implementation of the GDPR in Europe until the ICANN can come up with a more permanent solution for the future of WHOIS.
The problem, briefly stated, is that ICANN has agreements with the thousands of domain registrars around the globe like GoDaddy or HostGator which oblige the companies to post WHOIS data—such as names, emails, and phone numbers—for every domain registrant with their service. On the other hand, the GDPR prohibits companies from publishing information that identifies individuals, which means that when the law goes into effect in April, ICANN’s agreements with registrars about WHOIS data will be illegal, at least in Europe.
On the same day that ICANN’s interim WHOIS solutions were published, GoDaddy—the largest domain registrar in the world—announced that it would retract bulk searches of WHOIS contact details for its 17 million customers starting January 25.
“We are taking steps to protect our customers from spam and robocalls, which is a problem for our customers all over the world,” James Bladel, GoDaddy’s vice president of global policy, told me in an email. “This is unrelated to the upcoming General Data Protection Regulation. GoDaddy, along with ICANN and the rest of the industry, is evaluating the potential impact of GDPR on WHOIS access.”
Bladel cited a “spike” in customer complaints about being inundated with spam “within minutes” of registering a domain and a flood of accusations that GoDaddy is selling customer data to spammers. But many security researchers who depend on being able to access WHOIS data in bulk see this move as the company taking advantage of the uncertainty surrounding the future of ICANN WHOIS rules.
“GoDaddy has unilaterally decided to redact email, names, and phone numbers from all WHOIS records they publish, which is a significant change from what they’re contractually required to do through their registrar agreement with ICANN,” Tim Chen, CEO of DomainTools, a WHOIS data analytics firm, told me on the phone. “It’s very different from how any registrar has acted in the past.”
Registrars like GoDaddy and the organizations behind WHOIS lookup programs like ICANN’s search and DomainTools have tried various other ways of limiting the bulk collection of WHOIS data by spammers, such as implementing captchas or showing the contact information for a website owner as photos, rather than plaintext to limit automated data collection.
“Registrars don’t want to have WHOIS exist at all so they’re taking this opportunity to see how far they can push things.”
Despite these efforts, Chen said it is likely that other registrars will soon follow in GoDaddy’s footsteps and retract bulk WHOIS data searches. The reason, he said, is that ifor domain registrars, “it’s not really in their interest to have this data available because it’s their data on their customers.” Moreover, the onus of maintaining a server for the WHOIS data falls on the registrar, which is a cost for the company. And as Bladel mentioned, registrars are often blamed by customers for “selling” their information when spammers scrape WHOIS data.
“Registrars don’t want to have WHOIS exist at all,” Chen said. “So they’re taking this opportunity to see how far they can push things.”
The move comes as a blow to security researchers who depend on bulk access to WHOIS data, as well as data analysis services like Chen’s DomainTools, to do their work. Xavier Mertens, an independent security consultant in Belgium, told me that for him and others in his line of work, WHOIS is often the first line of defense when assessing a threat.
“You see malicious activity related to a domain name and your first reflex is to see who’s behind this domain,” Mertens told me in an email. “If WHOIS data are not publicly available, but only to accredited organizations, can you imagine the amount of administrative tasks and effort just required to access this information?”
Journalists also regularly use WHOIS data to find contact information for possible sources, and internet archivists use WHOIS data to ask for permission to save websites that appear to have been abandoned or are in danger of being deleted forever.
ICANN is in a tough position. On the one hand, the organization is under pressure from law enforcement officials and security researchers who depend on WHOIS data to investigate possible crimes or mitigate devastating malware attacks. On the other hand, the organization must also accomodate laws like the GDPR that are the only bulwark against the wholesale of individuals’ data by internet giants like Google and Facebook.
After years of discussion, ICANN released a report in 2014 that included a number of proposals for completely replacing WHOIS.
The recommended solution was to implement a Registration Directory Service which would run an automatically updated database filled with domain registration data from all the accredited registries. Under this scheme, most domain registration data would be ‘gated’ by default, unlike current WHOIS standards, where most registration data is public. This would allow registrars to provide their customers access to the registrar’s own data, but any other requests for ‘gated’ data would have to be routed through the RDS itself. Before the RDS would authorize access to this data, the person or organization requesting it would have to be able to identify themselves and their purpose for using it. This would, in effect, satisfy demands for individual data protection, proprietary data protection for registrars, block spammers, and also give security researchers an avenue to conduct their work.
Three years later, ICANN doesn’t seem to be any closer to actually implementing this proposal for a WHOIS overhaul, or any others for that matter. This was made painfully clear last November during a series of meetings at ICANN to hash out the organization’s response to the impending GDPR legislation.
Last month, ICANN published a memo that outlines plans for a number of interim models that essentially allows registrars to retract personal information about a domain registrant such as that person’s name, email, or phone number from public WHOIS data until ICANN can finalize plans for a replacement of WHOIS.
Heather Forrest, the chair of ICANN’s Generic Names Supporting Organization declined to comment on the organization’s future WHOIS plans, but told me in an email that “the GNSO council has several WHOIS-related matters on its agenda in 2018, not least of which is is the next generation Registration Directory Service policy development process.”
Forrest said the GNSO council met in Los Angeles last week to discuss how to improve ICANN’s policy development pipeline, but that the forthcoming report from the group won’t include any comments on any of the proposed WHOIS interim models published earlier in January.
The enactment of the GDPR in May may very signify the beginning of the end for WHOIS data, but that’s not necessarily a bad thing. The GDPR privacy laws are forcing solutions to the debate about how best to manage privacy and accountability on the internet, even if those debates can seem to move painstakingly slow.
In the near term, security researchers like Mertens and WHOIS data analytics firms like DomainTools will likely suffer from restricted access to bulk WHOIS data services as registrars like GoDaddy retract access. As for individuals outside of Europe who want to hide their WHOIS data, they can opt to mask their information through their registrar, although this often comes with an additional fee.
“For years, registrars have taken the privacy of domain owners into account by offering services to hide their data, so I don’t think that the GDPR will kill WHOIS,” Mertens said. “The risk is that more and more data will be removed from the public WHOIS database since it will be easier for many organizations to remove sensitive data, instead of taking time to properly implement the controls required by the GDPR.”
It’s uncertain when ICANN will have a finalized protocol for a next generation version of WHOIS, but an overhaul of this nearly 30-year-old protocol is long overdue. The notion that individual data should require a requester to also provide their own data is both equitable and intuitive—the only remaining question is how to make it work.