EU privacy rules hobble online sleuthing
Cybersecurity stakeholders are pushing U.S. lawmakers to rescue WHOIS, a tool for identifying internet domain ownership that's been hamstrung by the EU's privacy regulations.
Why it matters: WHOIS has been a public address book for domain owners since the earliest days of the internet. A bevy of online investigators — from law enforcement authorities to human rights groups to cybersecurity researchers — have long relied on its data. But the EU's General Data Protection Regulation (GDPR) deems the information in WHOIS to be too personal to share without a thorough consent agreement.
GDPR, which turns 1 in May, applies to any company doing business with Europe. Many registrars, the authorities who dole out domains (names like "axios.com"), have responded by simply not providing data to WHOIS.
This is a feature, not a bug. Before GDPR took effect, ICANN, the governing body for internet domain names, and several researchers told the EU that this was going to be a problem. But EU legislators chose not to fix it.
- "When investigators interacted with the EU, the EU took the position, 'Our job is to make the law, your job is to interpret it,'" said Tim Chen, CEO of DomainTools, a cybersecurity firm originally known for simplifying access to tools like WHOIS.
The impact: Online investigators use WHOIS information for more than just contacting a website's owner.
- Cross-referencing WHOIS data is a good way to find broader criminal activity and prevent attacks. The emails used to register one site used in a phishing campaign can be used to find other sites run by the same party.
- The same technique can be used to find sites co-owned by someone hosting terrorist propaganda or a website used to control or distribute malware.
But it's not just cybercrime. CINTOC (the Center on Illicit Networks and Transnational Organized Crime) is a charitable group that uses WHOIS to fight organized crime in vulnerable populations, including human trafficking and natural resource and wildlife crimes.
- "Criminals have web presences. I can use that information to go to a criminal's bank and get financial details," said Kathleen Miles, CINTOC director of analysis. "But when GDPR went through, we lost that connection. We lost it in Africa. We lost it in Europe. We lost it in a lot of the United States as well."
Because the EU is the only jurisdiction with a law that applies to WHOIS, Chen fears ICANN, which is currently updating its WHOIS guidelines, will have nothing to counterbalance GDPR's strictures.
The answer, according to a coalition that includes DomainTools, CINTOC and others, is for the U.S. to pass its own law requiring that websites designed to interact with U.S. citizens participate in WHOIS.
- That group, called the Coalition for a Secure and Transparent Internet (CSTI), is currently meeting with lawmakers on Capitol Hill about their ideas and is drafting model legislation.
- CSTI also includes trade associations that protect commercial interests, like legitimate online pharmacies who need WHOIS to thwart phony competitors, and the MPAA and RIAA, entertainment industry groups that use WHOIS as a tool against piracy sites.
By the numbers: A survey conducted by two cybersecurity industry groups showed 80% of investigators who used WHOIS before GDPR began were unable to find an equally useful replacement.
- "We knew it was going to be a problem," said Chen. "Now we have data to show we were right."
The bottom line: Regulating privacy is a complex balancing act. In this case, an important piece of internet infrastructure has become collateral damage to the GDPR, and eyes are on the U.S. for a fix.
Editor's note: An earlier version of this article incorrectly reported a quotation by Tim Chen of DomainTools about the EU's stance toward investigators.