We are on the brink of the most serious threat to the open and public Internet for decades. ICANN, under pressure from domain name registrars and EU data protection authorities, has proposed an "interim" plan that will hide critical information in WHOIS. Security, threat intelligence, and anti-abuse professionals rely on WHOIS to track down bad guys and keep the Internet as safe and secure as possible.
ICANN and the registrars have been going back and forth on ways to align privacy laws with the WHOIS system, which functions as a public "phone book" for Internet domains, recording information that includes the name, email address, street address, and phone number of the company or individual who registered the domain.
For years, there has been an accepted procedure for handling situations in which WHOIS conflicts with privacy law — nobody disputes the importance of protecting the privacy of natural persons. But now, with less than sixty days to go before the General Data Protection Regulation (GDPR) adopted by the European Union (EU) comes into force, registrars, who finance ICANN, have pressured ICANN into closing the public phone book effectively altogether, turning the open and public Internet into a Tor-like deep and dark net. Specifically, ICANN came out with an interim solution nicknamed the "Cookbook," which suggests completely masking the contact email address, thereby completely hiding who is responsible for managing or controlling a resource on the Internet. The Cookbook also suggests masking certain information for corporations, even though GDPR doesn't apply to them.
The ability to register domains anonymously is a massive problem for the security of the internet — attackers need to establish an infrastructure to originate their attack and set up servers to communicate with their malware. Often, they'll register multiple domains at the beginning of an attack campaign for use during all phases of their operations. Security professionals rely on WHOIS to query for ownership information about a domain, IP address, or subnet. Without this data, it becomes significantly more difficult to rapidly take down phishing sites or compromised domains hosting malware — the vast majority of cybercriminal activities. Some think that it is the hosting provider's problem to fix, but unless their customer is reaching out to them, they likely have a different service department handling the issue, and probably even have a backlog to deal with. By reaching out directly to the victims in parallel by phone and email, those victims are able to help themselves more quickly.
The Cookbook also makes it impossible to see which sites are connected or under the same management or control. For example, if someone in an organization's marketing department registered a domain using a corporate account without going through the correct internal procedures, and that site did not have the right patches or was not scanned for vulnerabilities, their online customers and visitors will likely become exposed to phishing and malware.
With the registrar business being low-margin, anything that will reduce the security line item on their budget is attractive to many registrars if they can get away with it. Registrars generally would rather conceal the connectedness between domain assets than lose business or deal with reports of malicious activity. Because GDPR is complex, difficult to interpret at this early stage and comes with heavy fines of up to 4% of annual global turnover, GDPR has been weaponized by registrars to pressure ICANN into making the domain name system more closed and private.
The Governmental Advisory Committee (GAC) of ICANN met in San Juan, Puerto Rico in March 2018. The GAC advised the ICANN Board to instruct ICANN to maintain the current structure of the WHOIS to the greatest extent possible. The GAC essentially pleaded to the ICANN Board to instruct ICANN that it must reconsider hiding the registrant email addresses from the free phone book, emphasizing (quite diplomatically) that it may not be proportionate given the significant adverse impact on law enforcement, cybersecurity, and rights protection it would have.
The GAC appropriately went even further by emphasizing to the ICANN Board that it must instruct ICANN not to erroneously use GDPR, which applies to people, as an excuse to shut down public access to corporate contacts in the phone book, which is not even in the remit of GDPR. This unjustifiable over-application of GDPR prevents companies from effectively defending their very own infrastructure. Whether requiring the same cryptographic hash function across registrars for individually owned domains so you can still pivot on the email across registrars is technically feasible, has been submitted for discussions right now with the world's top experts in this area. Technical discussions are also underway on whether requiring the local part of the registrant email on a corporate domain to be generic moving forward and otherwise masked (leaving only the corporate domain, which has no information relating to an identified or identifiable natural person) can be done for the sake of security and stability. These less drastic (conceivably possible) measures will certainly not be coming from the DPAs on their own initiative. The ICANN org must do that work.
If the phone book must change in some ways, notwithstanding the accepted procedures for handling WHOIS conflicts with privacy laws, then ICANN must ensure that those with a legitimate purpose still have continued access to the contact information needed to protect business and the public until the re-designed phone book is ready for use. You can't just close the book and tell security professionals, who rely on WHOIS data to keep the internet safe, to come back when it's re-designed, potentially months later. It's entirely unacceptable for ICANN to leave each registrar to decide if and how it will provide continuous access, with no means of enforcement. Continuous access must be mandatory. The phone books also have to be easy to use in today's world, i.e., not designed to impose limits that undermine all functionality in the digital age — if you can only use the phone book manually or less than you would reasonably need, the query volume limitation is no more than a disguised blockade. I guarantee that the registrars do not have the resources to start taking on the additional work needed on the back-end that is being done for them using bulk access. But unless and until the accreditation system is up and running efficiently, that is what would have to happen to avoid disrupting the stable and secure operation of the Internet's identifiers.
To repeat, we are on the brink of the most serious threat to the open and public Internet for decades. We must step up to the plate and not get complacent about this. ICANN must have a way to hold registrars accountable if they abuse GDPR as an excuse to cripple WHOIS.
We at RiskIQ sent a letter requesting such adequate assurances from the Board on March 26. To express your concern, we prepared a generic letter you can fill out here. This letter will go to ICANN's Board, ICANN's CEO, and the GAC Public Safety Working Group Co-Chairs. Copies will be sent to the DPAs. ICANN has since then corresponded in writing and subsequently published yesterday, twenty eight letters to DPAs asking for help:
We request you to help ICANN and the domain name registries and registrars to maintain the global WHOIS in its current form, through either clarification of the GDPR, a moratorium on enforcement or other relevant actions, until a revised WHOIS policy that balances these critical public interest perspectives may be developed and implemented.
The DPAs will not be able to come up with the technical solutions that are necessary to architect WHOIS in a way that is both compliant with GDPR and at the same time not damaging to the security and stability of the DNS. That is the only way an ICANN temporary policy can be used to hold registrars accountable. We need to do that work. A moratorium is not needed on enforcement, but rather, a tiered-phase enforcement forbearance that has strong snapback provisions. The phases should be subject to discussion between ICANN, the community, and the DPAs. One phase may be re-designing the public Whois so that it is minimally disruptive to the security and stability of the DNS and consistent with GDPR. The second phase may look at an accreditation model and what needs to be done by ICANN to help the community build it into the system architecture in a fair and just manner. For each phase, deadlines can be set against which the DPAs can measure whether to have enforcement snap back into force.
Yesterday, ICANN's President and CEO met with the technology subgroup of the Article 29 Working Party. It appears to have been confirmed based on a third-party source that as anticipated by ICANN, the WHOIS system is on the upcoming Article 29 plenary's agenda in less than two weeks. ICANN is hopeful that it will be provided with a moratorium on enforcement that would allow sufficient time to implement the model and build the appropriate accreditation system. The model must reflect GAC consensus advice not to make changes to the current WHOIS that are not required by GDPR and disrupt the stability and security of the DNS.
Written by Jonathan Matkowsky, VP of Intellectual Property & Brand Security at RiskIQ