Registrars have begun to remove the availability of Personal Data in their Whois data services, and to design (or not) various methods for interested parties with a legitimate interest in the data to contact them to request further access. Because ICANN has not directed policy for access to full Whois data by accredited or legitimate parties, the world is left to its own devices as to if or how access may be gained. Early returns indicate that outside of law enforcement, it will be very difficult for security and brand protection practitioners to access the Personal Data fields in Whois until a new standard and model for such access is agreed by ICANN's stakeholders, many of whom would prefer access to Whois be significantly and permanently restricted.
In July 2018 at the Panama City ICANN Conference, ICANN's own Security and Stability Advisory Committee (SSAC) published SSAC Advisory 101 outlining some real security concerns arising from the current, fractured Whois landscape. It is noteworthy that this highly regarded Advisory Committee is publishing official commentary on how the degradation of Whois data availability is having a real impact on the ability of security practitioners to do the important work they do. Some of the issues that SSAC is concerned about included: Whois data redaction, Whois lookup rate limiting on Port 43, and the application of GDPR more broadly than required by EU lawmakers.
In July 2018 ICANN spun up an emergency Policy Development Process team to work on the deliverables outlined in the Temporary Specification, all of which have a very short time window for execution. The hope is that an outcome of the ePDP process is a new Whois standard and policy, based on the Registry Data Access Protocol (RDAP) approved and live by next summer. It remains more likely that there may be some agreement on technical standards but the divisive nature of the Whois discussions at ICANN over the last 18 months make policy progress a real challenge.
In May 2018 ICANN passed a Temporary Specification for an interim whois model that will exist for one year, until May 25th 2019. The purpose of this contractual requirement between ICANN and its Registrars and Registries is to maintain an enforceable standard of Whois publication while adhering to the GDPR, and giving all parties more time to discuss and make policy around a new Whois standard going forward. The Temporary Specification fails to provide a mechanism for parties with a legitimate interest in the full Whois data to access such data in any uniform, predictable or enforceable way. This is of great concern, not just for law enforcement personnel but also for security researchers and practitioners who rely on this data to protect their networks and constituents and to investigate malicious behavior online.
The GDPR privacy law of the European Union went live on May 25th 2018. This law aims to protect the data privacy of EU citizens (referred to as "Natural Persons" in the law, in order to differentiate from corporate or other organizational entities which are referred to as "Legal Persons" in the law) as well as give them more control as to when their Personal data is collected, how it is processed and how long it is stored. So-called "Data Subjects" also have a right to request what Personal data organizations have collected and to request a copy of such data. The law does have carve-outs, for situations that involve consent, contracts and certain aspects related to private or public security and issues of a public interest.
Whois, the system used for querying databases of information on domain name registrations and IP addresses, has been a vital tool for journalists, security researchers and law enforcement in identifying and tracking spammers, phishers, identity thieves and other cybercriminals. However, when the EU’s General Data Protection Regulation takes effect on May 25, the service will heavily limited or possibly shut down completely in order to comply with privacy requirements. How will this impact cybersecurity? Does WHOIS raise legitimate privacy concerns? Shane Tews, President of Logan Circle Strategies, visiting fellow at the American Enterprise Institute, and Tim Chen, CEO of DomainTools, discuss the topic.
Tim Chen Discusses the History of DomainTools and the Impact of GDPR on Cybersecurity
ICANN Meets with the Article 29 Working Party
Goran Marby, ICANN CEO, summarized the meeting in recent blog post. In that meeting, ICANN reiterated that their bylaws require them to act "for the benefit of the Internet community as a whole" and that ICANN must take into account that WHOIS "meets the legitimate needs of law enforcement, promoting consumer trust and safeguarding registrant data" questions remain around it. The meeting discussed an accreditation model to allow approved entities continued access to Whois data. ICANN is continuing the conversation with WP29 but it is not expected any model will be in place prior to May 25, 2018.
At this time, DomainTools continues to operate under the assumption that certain fields in Whois data will be severely redacted and restricted. GDPR is intended to apply to only EU natural citizens. ICANN has granted allowance for Registrars to apply the data redaction across all domain registrations globally. It is uncertain at this time what Registrars will provide in Whois records.
ICANN Cross-Community Session: GDPR & WHOIS Compliance Models
At the recent ICANN 61 meeting in Puerto Rico, DomainTools CEO Tim Chen spoke on behalf of the security community and the business constituency of ICANN to provide feedback on the proposed interim model for Whois data.
There is also a useful summary of the proposed GDPR and WHOIS Compliance model.
DomainTools releases a relevant white paper: How Whois Data Ensures a Safe and Secure Internet
ICANN publishes an interim compliance model for Whois, based on community and legal input. They also ask the community to provide input and feedback.
ICANN asks the community to submit models for GDPR compliance.
ICANN begins commissioning its own legal advice on GDPR from a law firm in the EU. The results is a three part memoranda.
ICANN constructs a Whois data flow and use matrix to better understand the purposes of each collected data field in Whois.
GDPR panel discussions take place, for the first time, at ICANN's meeting in Copenhagen.
GDPR is passed into law by the EU Parliament.
GDPR, the General Data Protection Regulation, is a sweeping new European Union personal privacy law set to take effect May 25, 2018, and has the potential to have a significant impact on how organizations worldwide collect, process, store and provision data that can be classified as personally identifiable of EU citizens. The law applies only to the data of ‘natural persons’ and not to corporations or other legal entities.
Certain fields of domain name whois data may be personally identifiable, such as registrant name or email address. In the cases where these data fields represent a natural person in the EU, the GDPR will apply as to the collection and processing of that specific data.
DomainTools wants to represent the interests of security practitioners worldwide, at the intersection of domain name Whois data and the GDPR. We are working directly with EU Data Protection Authorities, with ICANN constituencies, and with a group of like-minded individuals and organizations who believe we can find a suitable solution for legitimate interests in whois data under the letter of the GDPR law.
It’s unclear if the language of GDPR will change since it has already passed into legislation (but not enforcement), but the interpretation of the broadly written clauses is already shifting as more voices emerge to challenge how far-reaching the law should truly be. We expect continued evolution in this regard up to and likely past May 2018.
Please send an email to [email protected] for more information.
DomainTools is closely following the pending enforcement of the European Union General Data Protection Regulation (GDPR) set to begin May 25, 2018. No doubt most of our Enterprise customers are also aware as this sweeping privacy legislation affects all organizations doing business in the EU and/or collecting personally identifiable information of EU citizens.
Certain data sets that DomainTools collects and processes in the provision of our services to customers, specifically Whois data on domain names, may come under the GDPR jurisdiction. The law is broadly written, and has carve outs for, among other things, network security, personal security and the prosecution of criminal offenses. As the interpretations of this law continue to emerge and evolve we will continue to keep our customers apprised of how it may affect the data and products that we know are critical to the important work you do every day.
DomainTools respects the right to privacy for all individuals using the Internet for legal and non-nefarious purposes. We are, after all, a company of such Internet-using individuals who understand and experience daily the legitimate concerns around tracking and privacy. Yet our exclusive mission is and has been to create and provision uniquely useful and effective threat intelligence products for organizations worldwide. We believe that a fair balance can be achieved between security and privacy on the Internet, and that both are important to protect.
The security and protection of individuals, employees, customers, brands, intellectual property, and a host of other important assets and constituencies should remain a priority and voices that represent these interests need a seat at the legislative table. The Internet is a global, distributed, multi-stakeholder resource and one that will always need to strike a balance between competing equities. The security and stability of the Internet is a core tenet of ICANN’s mission. Understanding who owns or controls the resources that Internet users want to or are being asked to navigate to, and the underlying DNS protocols that rely on this same data to function, are critical to maintaining the trust and operability of today’s Internet.
DomainTools’ growing customer base includes national-level Computer Emergency Response Teams (CERTs) including many in the EU itself, leading security research organizations within universities across the globe, government-led security agencies in over 10 countries tasked with protecting the infrastructure and citizens they represent, and nearly 500 corporate customers including 35 of the Fortune 100 and over 100 within the EU region itself. DomainTools is engaging with European regulators, ICANN constituencies and our outstanding and loyal customers and partners in an effort to fairly and strongly represent the interests of security practitioners in the GDPR debate. Our many years of experience as a security solutions vendor, along with nearly 20 years managing Whois data, positions us well to be an effective resource in this discussion.
We encourage input in this critical discussion from all constituencies that have a stake in the openness and trustworthiness of today’s Internet. Customers that would like to speak with DomainTools further about our position on this important issue, or who want to join our efforts to represent security practitioners worldwide, please contact us on [email protected] We expect the GDPR landscape to rapidly evolve as we approach May 2018 and we will continue to keep our customers and stakeholders updated on progress towards an outcome that maintains the balance of equities that Internet users have successfully enjoyed for more than 25 years.