Feb 7, 2019 - Technology

EU privacy rules hobble online sleuthing

Photo: Martin Konopka/EyeEm/Getty Images

Cybersecurity stakeholders are pushing U.S. lawmakers to rescue WHOIS, a tool for identifying internet domain ownership that's been hamstrung by the EU's privacy regulations.

Why it matters: WHOIS has been a public address book for domain owners since the earliest days of the internet. A bevy of online investigators — from law enforcement authorities to human rights groups to cybersecurity researchers — have long relied on its data. But the EU's General Data Protection Regulation (GDPR) deems the information in WHOIS to be too personal to share without a thorough consent agreement.

GDPR, which turns 1 in May, applies to any company doing business with Europe. Many registrars, the authorities who dole out domains (names like "axios.com"), have responded by simply not providing data to WHOIS.

This is a feature, not a bug. Before GDPR took effect, ICANN, the governing body for internet domain names, and several researchers told the EU that this was going to be a problem. But EU legislators chose not to fix it.

  • "When investigators interacted with the EU, the EU took the position, 'Our job is to make the law, your job is to interpret it,'" said Tim Chen, CEO of DomainTools, a cybersecurity firm originally known for simplifying access to tools like WHOIS.

The impact: Online investigators use WHOIS information for more than just contacting a website's owner.

  • Cross-referencing WHOIS data is a good way to find broader criminal activity and prevent attacks. The emails used to register one site used in a phishing campaign can be used to find other sites run by the same party.
  • The same technique can be used to find sites co-owned by someone hosting terrorist propaganda or a website used to control or distribute malware.

But it's not just cybercrime. CINTOC (the Center on Illicit Networks and Transnational Organized Crime) is a charitable group that uses WHOIS to fight organized crime in vulnerable populations, including human trafficking and natural resource and wildlife crimes.

  • "Criminals have web presences. I can use that information to go to a criminal's bank and get financial details," said Kathleen Miles, CINTOC director of analysis. "But when GDPR went through, we lost that connection. We lost it in Africa. We lost it in Europe. We lost it in a lot of the United States as well."

Because the EU is the only jurisdiction with a law that applies to WHOIS, Chen fears ICANN, which is currently updating its WHOIS guidelines, will have nothing to counterbalance GDPR's strictures.

The answer, according to a coalition that includes DomainTools, CINTOC and others, is for the U.S. to pass its own law requiring that websites designed to interact with U.S. citizens participate in WHOIS.

  • That group, called the Coalition for a Secure and Transparent Internet (CSTI), is currently meeting with lawmakers on Capitol Hill about their ideas and is drafting model legislation.
  • CSTI also includes trade associations that protect commercial interests, like legitimate online pharmacies who need WHOIS to thwart phony competitors, and the MPAA and RIAA, entertainment industry groups that use WHOIS as a tool against piracy sites.

By the numbers: A survey conducted by two cybersecurity industry groups showed 80% of investigators who used WHOIS before GDPR began were unable to find an equally useful replacement.

  • "We knew it was going to be a problem," said Chen. "Now we have data to show we were right."

The bottom line: Regulating privacy is a complex balancing act. In this case, an important piece of internet infrastructure has become collateral damage to the GDPR, and eyes are on the U.S. for a fix.

Go deeper: EU data law may not have caused the expected sketchy website boom

Editor's note: An earlier version of this article incorrectly reported a quotation by Tim Chen of DomainTools about the EU's stance toward investigators.

What's next

Bolton alleges in book that Trump tied Ukraine aid to investigations

Photo: Alex Wong/Getty Images

President Trump's former national security adviser John Bolton alleges in his forthcoming book that the president explicitly told him "he wanted to continue freezing $391 million in security assistance to Ukraine until officials there helped with investigations into Democrats including the Bidens," the New York Times first reported.

Why this matters: The revelations present a dramatic 11th hour turn in Trump's Senate impeachment trial. They directly contradict Trump's claim that he never tied the hold-up of Ukrainian aid to his demands for investigations into his political opponent Joe Biden.

Honoring Kobe Bryant: Sports stars, politicians and celebrities mourn NBA great

Kobe Bryant on court for the Los Angeles Lakers during the Sprite Slam Dunk Contest on All-Star Saturday Night, part of 2010 NBA All-Star Weekend at American Airlines Center in Dallas in February 2010. Photo: Jed Jacobsohn/Getty Images

Sports stars, politicians and celebrities paid tribute to NBA legend Kobe Bryant, who was killed in a California helicopter crash alongside his 13-year-old daughter, Gianna, and seven others on Saturday. He was 41.

What they're saying: Lakers great Shaquille O'Neal said in an Instagram post of his former teammate, "There's no words to express the pain I'm going through now with this tragic and sad moment of losing my friend, my brother, my partner in winning championships, my dude and my homie. I love you brother and you will be missed."

Go deeperArrow3 hours ago - Sports

What's next: Trump's broader travel ban

A sign for International Arrivals is shown at the Seattle-Tacoma International Airport. Photo: Ted S. Warren/AP

President Trump is expected to announce an expanded travel ban this week, which would restrict immigration from seven additional countries — Nigeria, Myanmar, Sudan, Belarus, Eritrea, Kyrgyzstan and Tanzania, per multiple reports.

  • The announcement would come on the third anniversary of Trump's original travel ban, which targeted Muslim-majority nations, per Axios' Stef Kight.