Feb 7, 2019

EU privacy rules hobble online sleuthing

Photo: Martin Konopka/EyeEm/Getty Images

Cybersecurity stakeholders are pushing U.S. lawmakers to rescue WHOIS, a tool for identifying internet domain ownership that's been hamstrung by the EU's privacy regulations.

Why it matters: WHOIS has been a public address book for domain owners since the earliest days of the internet. A bevy of online investigators — from law enforcement authorities to human rights groups to cybersecurity researchers — have long relied on its data. But the EU's General Data Protection Regulation (GDPR) deems the information in WHOIS to be too personal to share without a thorough consent agreement.

GDPR, which turns 1 in May, applies to any company doing business with Europe. Many registrars, the authorities who dole out domains (names like "axios.com"), have responded by simply not providing data to WHOIS.

This is a feature, not a bug. Before GDPR took effect, ICANN, the governing body for internet domain names, and several researchers told the EU that this was going to be a problem. But EU legislators chose not to fix it.

  • "When investigators interacted with the EU, the EU took the position, 'Our job is to make the law, your job is to interpret it,'" said Tim Chen, CEO of DomainTools, a cybersecurity firm originally known for simplifying access to tools like WHOIS.

The impact: Online investigators use WHOIS information for more than just contacting a website's owner.

  • Cross-referencing WHOIS data is a good way to find broader criminal activity and prevent attacks. The emails used to register one site used in a phishing campaign can be used to find other sites run by the same party.
  • The same technique can be used to find sites co-owned by someone hosting terrorist propaganda or a website used to control or distribute malware.

But it's not just cybercrime. CINTOC (the Center on Illicit Networks and Transnational Organized Crime) is a charitable group that uses WHOIS to fight organized crime in vulnerable populations, including human trafficking and natural resource and wildlife crimes.

  • "Criminals have web presences. I can use that information to go to a criminal's bank and get financial details," said Kathleen Miles, CINTOC director of analysis. "But when GDPR went through, we lost that connection. We lost it in Africa. We lost it in Europe. We lost it in a lot of the United States as well."

Because the EU is the only jurisdiction with a law that applies to WHOIS, Chen fears ICANN, which is currently updating its WHOIS guidelines, will have nothing to counterbalance GDPR's strictures.

The answer, according to a coalition that includes DomainTools, CINTOC and others, is for the U.S. to pass its own law requiring that websites designed to interact with U.S. citizens participate in WHOIS.

  • That group, called the Coalition for a Secure and Transparent Internet (CSTI), is currently meeting with lawmakers on Capitol Hill about their ideas and is drafting model legislation.
  • CSTI also includes trade associations that protect commercial interests, like legitimate online pharmacies who need WHOIS to thwart phony competitors, and the MPAA and RIAA, entertainment industry groups that use WHOIS as a tool against piracy sites.

By the numbers: A survey conducted by two cybersecurity industry groups showed 80% of investigators who used WHOIS before GDPR began were unable to find an equally useful replacement.

  • "We knew it was going to be a problem," said Chen. "Now we have data to show we were right."

The bottom line: Regulating privacy is a complex balancing act. In this case, an important piece of internet infrastructure has become collateral damage to the GDPR, and eyes are on the U.S. for a fix.

Go deeper: EU data law may not have caused the expected sketchy website boom

Editor's note: An earlier version of this article incorrectly reported a quotation by Tim Chen of DomainTools about the EU's stance toward investigators.

Go deeper

Updates: Cities move to end curfews for George Floyd protests

Text reading "Demilitarize the police" is projected on an army vehicle during a protest over the death of George Floyd in Washington, D.C.. early on Thursday. Photo: Yasin Ozturk/Anadolu Agency via Getty Images

Several cities are ending curfews after the protests over the death of George Floyd and other police-related killings of black people led to fewer arrests and less violence Wednesday night.

The latest: Los Angeles and Washington D.C. are the latest to end nightly curfews. Seattle Mayor Jenny Durkan tweeted Wednesday night that "peaceful protests can continue without a curfew, while San Francisco Mayor London Breed tweeted that the city's curfew would end at 5 a.m. Thursday.

Murkowski calls Mattis' Trump criticism "true and honest and necessary and overdue"

Sen. Lisa Murkowski. Photo: Bill Clark/CQ-Roll Call, Inc via Getty Images

Sen. Lisa Murkowski (R-Alaska) said Thursday that she agreed with former Defense Secretary James Mattis' criticism of President Trump, calling it "true and honest and necessary and overdue."

Why it matters: Murkowski, who has signaled her discomfort with the president in the past, also said that she's "struggling" with her support for him in November — a rare full-on rebuke of Trump from a Senate Republican.

Facebook to block ads from state-controlled media entities in the U.S.

Illustration: Rebecca Zisser/Axios

Facebook said Thursday it will begin blocking state-controlled media outlets from buying advertising in the U.S. this summer. It's also rolling out a new set of labels to provide users with transparency around ads and posts from state-controlled outlets. Outlets that feel wrongly labeled can appeal the process.

Why it matters: Nathaniel Gleicher, Facebook's head of security policy, says the company hasn't seen many examples yet of foreign governments using advertising to promote manipulative content to U.S. users, but that the platform is taking this action out of an abundance of caution ahead of the 2020 election.