Photo: Martin Konopka/EyeEm/Getty Images

Cybersecurity stakeholders are pushing U.S. lawmakers to rescue WHOIS, a tool for identifying internet domain ownership that's been hamstrung by the EU's privacy regulations.

Why it matters: WHOIS has been a public address book for domain owners since the earliest days of the internet. A bevy of online investigators — from law enforcement authorities to human rights groups to cybersecurity researchers — have long relied on its data. But the EU's General Data Protection Regulation (GDPR) deems the information in WHOIS to be too personal to share without a thorough consent agreement.

GDPR, which turns 1 in May, applies to any company doing business with Europe. Many registrars, the authorities who dole out domains (names like "axios.com"), have responded by simply not providing data to WHOIS.

This is a feature, not a bug. Before GDPR took effect, ICANN, the governing body for internet domain names, and several researchers told the EU that this was going to be a problem. But EU legislators chose not to fix it.

  • "When investigators interacted with the EU, the EU took the position, 'Our job is to make the law, your job is to interpret it,'" said Tim Chen, CEO of DomainTools, a cybersecurity firm originally known for simplifying access to tools like WHOIS.

The impact: Online investigators use WHOIS information for more than just contacting a website's owner.

  • Cross-referencing WHOIS data is a good way to find broader criminal activity and prevent attacks. The emails used to register one site used in a phishing campaign can be used to find other sites run by the same party.
  • The same technique can be used to find sites co-owned by someone hosting terrorist propaganda or a website used to control or distribute malware.

But it's not just cybercrime. CINTOC (the Center on Illicit Networks and Transnational Organized Crime) is a charitable group that uses WHOIS to fight organized crime in vulnerable populations, including human trafficking and natural resource and wildlife crimes.

  • "Criminals have web presences. I can use that information to go to a criminal's bank and get financial details," said Kathleen Miles, CINTOC director of analysis. "But when GDPR went through, we lost that connection. We lost it in Africa. We lost it in Europe. We lost it in a lot of the United States as well."

Because the EU is the only jurisdiction with a law that applies to WHOIS, Chen fears ICANN, which is currently updating its WHOIS guidelines, will have nothing to counterbalance GDPR's strictures.

The answer, according to a coalition that includes DomainTools, CINTOC and others, is for the U.S. to pass its own law requiring that websites designed to interact with U.S. citizens participate in WHOIS.

  • That group, called the Coalition for a Secure and Transparent Internet (CSTI), is currently meeting with lawmakers on Capitol Hill about their ideas and is drafting model legislation.
  • CSTI also includes trade associations that protect commercial interests, like legitimate online pharmacies who need WHOIS to thwart phony competitors, and the MPAA and RIAA, entertainment industry groups that use WHOIS as a tool against piracy sites.

By the numbers: A survey conducted by two cybersecurity industry groups showed 80% of investigators who used WHOIS before GDPR began were unable to find an equally useful replacement.

  • "We knew it was going to be a problem," said Chen. "Now we have data to show we were right."

The bottom line: Regulating privacy is a complex balancing act. In this case, an important piece of internet infrastructure has become collateral damage to the GDPR, and eyes are on the U.S. for a fix.

Go deeper: EU data law may not have caused the expected sketchy website boom

Editor's note: An earlier version of this article incorrectly reported a quotation by Tim Chen of DomainTools about the EU's stance toward investigators.

Go deeper

Trump tightens screws on ByteDance to sell Tiktok

Illustration: Aïda Amer/Axios

President Trump added more pressure Friday night on China-based TikTok parent ByteDance to exit the U.S., ordering it to divest all assets related to the U.S. operation of TikTok within 90 days.

Between the lines: The order means ByteDance must be wholly disentangled from TikTok in the U.S. by November. Trump had previously ordered TikTok banned if ByteDance hadn't struck a deal within 45 days. The new order likely means ByteDance has just another 45 days after that to fully close the deal, one White House source told Axios.

Updated 4 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Global: Total confirmed cases as of 9:30 p.m. ET: 21,056,850 — Total deaths: 762,293— Total recoveries: 13,100,902Map.
  2. U.S.: Total confirmed cases as of 9:30 p.m ET: 5,306,215 — Total deaths: 168,334 — Total recoveries: 1,796,309 — Total tests: 65,676,624Map.
  3. Health: CDC: Survivors of COVID-19 have up to three months of immunity Fauci believes normalcy will return by "the end of 2021" with vaccine — The pandemic's toll on mental health — FDA releases first-ever list of medical supplies in shortage.
  4. States: California passes 600,000 confirmed coronavirus cases.
  5. Cities: Coronavirus pandemic dims NYC's annual 9/11 Tribute in Light.
  6. Business: How small businesses got stiffed — Unemployment starts moving in the right direction.
  7. Politics: Biden signals fall strategy with new ads.

Harris: "Women are going to be a priority" in Biden administration

Sen. Kamala Harris at an event in Wilmington, Del. Photo: Drew Angerer/Getty Images

In her first sit-down interview since being named Joe Biden's running mate, Sen. Kamala Harris talked about what she'll do to fight for women if elected VP, and how the Democrats are thinking about voter turnout strategies ahead of November.

What they're saying: "In a Biden-Harris administration women are going to be a priority, understanding that women have many priorities and all of them must be acknowledged," Harris told The 19th*'s Errin Haines-Whack.