Welcome to Codebook, the cybersecurity newsletter heavily invested in new sandwich research.
Photo: Martin Konopka/EyeEm/Getty Images
Cybersecurity stakeholders are pushing U.S. lawmakers to rescue WHOIS, a tool for identifying internet domain ownership that's been hamstrung by the European Union's privacy regulations.
Why it matters: WHOIS has been a public address book for domain owners since the earliest days of the internet. A bevy of online investigators — from law enforcement authorities to human rights groups to cybersecurity researchers — have long relied on its data. But the EU's General Data Protection Regulation (GDPR) deems the information in WHOIS to be too personal to share without a thorough consent agreement.
GDPR, which turns 1 in May, applies to any company doing business with Europe. Many registrars, the authorities who dole out domains (names like "axios.com"), have responded by simply not providing data to WHOIS.
This is a feature, not a bug. Before GDPR took effect, ICANN, the governing body for internet domain names, and several researchers told the EU that this was going to be a problem. But EU legislators chose not to fix it.
The impact: Online investigators use WHOIS information for more than just contacting a website's owner.
But it's not just cybercrime. CINTOC (the Center on Illicit Networks and Transnational Organized Crime) is a charitable group that uses WHOIS to fight organized crime in vulnerable populations, including human trafficking and natural resource and wildlife crimes.
Because the EU is the only jurisdiction with a law that applies to WHOIS, Chen fears ICANN, which is currently updating its WHOIS guidelines, will have nothing to counterbalance GDPR's strictures.
The answer, according to a coalition that includes DomainTools, CINTOC and others, is for the U.S. to pass its own law requiring that websites designed to interact with U.S. citizens participate in WHOIS.
By the numbers: A survey conducted by two cybersecurity industry groups showed 80% of investigators who used WHOIS before GDPR began were unable to find an equally useful replacement.
The bottom line: Regulating privacy is a complex balancing act. In this case, an important piece of internet infrastructure has become collateral damage to the GDPR, and eyes are on the U.S. for a fix.
Editor's note: An earlier version of this article incorrectly reported a quotation by Tim Chen of DomainTools about the EU's stance toward investigators.
Cisco is calling for a different kind of privacy regulation debate in the U.S.
The big picture: Other companies have called for privacy regulations before — Facebook and Apple come to mind. But the debate has focused in no small part on Facebook and Google-style business models involving data brokerages and ads. Cisco's new call is largely concerned with everything else.
What they're saying: "We’ve been discussing ads for 20 years. It’s an important problem, and I don’t dismiss it," Michelle Dennedy, Cisco vice president and chief privacy officer, told Codebook. "But it’s very different than a comprehensive plan. We can’t be just concerned with the revenue of 2 companies."
Cisco is asking, in part, to better understand how to engineer its own products, which are more business-focused than consumer-oriented, to abide by local and global privacy regimes.
The U.S. has never been great about unifying data privacy laws (see the struggles with a national breach notification standard), but Dennedy thinks this is a chance to do something big.
The Bundeskartellamt (Germany's antitrust office) has ordered Facebook not to combine data collected through WhatsApp and Instagram with Facebook accounts.
Germany said Facebook needs to get users' explicit consent before combining the data in those accounts. Axios' David McCabe has more here.
What's interesting is that combining data, something that Europe has frequently ruled verboten for privacy reasons, is now being viewed as an antitrust violation.
A prolific espionage group, which the U.S. government believes is Chinese, compromised billion-dollar business service provider Visma in August and September 2018, according to a Wednesday report by the threat intelligence firm Recorded Future.
Why it matters: Visma, located in Norway, has more than 850,000 customers. The Recorded Future report, produced in part with data garnered by industry partner Rapid7, also details intrusions into the networks of an unnamed U.S. law firm and unnamed apparel company.
Read more context about the hack here.
Meanwhile, On Wednesday, DHS independently offered a webinar about the group believed to be involved in that attack for industries that may be its future victims.
The English Session Orchestra perform the reveal of Huawei, Unfinished Symphony at Cadogan Hall, Feb. 4, 2019. Photo: David M. Benett/Dave Benett/Getty Images for Huawei UK
There were many new twists Wednesday for Huawei, the beleaguered Chinese telecom manufacturer accused of involvement in Chinese espionage and violating sanctions against Iran, and a sudden flashpoint in the U.S./China trade war.
According to a Google-sponsored poll conducted by Harris and released Tuesday, 69% percent of people believe that they deserve an "A" or a "B" grade for security practices.
Why it matters: Those are particularly nice grades for users who also say they are failing at basic security practices.
We at Codebook are not typically fans of surveys — most of those concerning security are methodologically weak and ask people questions they won't know the answer to, like "have you been breached?" — but this poll is uniquely interesting.
Codebook will return Tuesday.