Privacy laws occasionally conflict with the work of security professionals and law enforcement agencies. The most recent example of this comes in the form of the potential General Data Protection Regulation (GDPR) impacting the ICANN WHOIS Database. The debate is essentially over whether ICANN should continue to publish the name and contact details of domain registrants in the WHOIS database, or prioritize the privacy rights of the registrant under GDPR over security concerns and impact the work of researchers and organizations that rely upon this database.
From FireEye’s extensive experience analyzing cyber threats, limiting security researchers’ visibility into the digital infrastructure used to carry out malicious activity will hamper global security efforts and give adversaries an environment in which they can more easily hide.
The public nature of the WHOIS service has made it an invaluable tool for law enforcement agents, security professionals, brand owners and others who regularly use the service (FireEye and Pillsbury included). The information contained within the service allow security professionals to identify registrants of infrastructure suspected to be connected to cyber attacks, IP (intellectual property) infringement, and everything in between. While the registration information submitted can, of course, be intentionally misleading, it can nevertheless give vital clues as to the registrant in some cases. For example, in some instances, bad actors have registered domains with names related to their intended targets, helping analysts attribute and link activity. With the proposed GDPR implementations for WHOIS, it may be more difficult to aggregate actor activity and – in some cases – may limit the historical understanding of the threat.
Many European data protection authorities (DPAs) have long expressed concerns regarding the publication of WHOIS data. The Article 29 Working Party, which represents DPAs, has indicated that it is unlikely that publication can be justified on the basis of registrar consent (can this consent really be freely given?) or the legitimate interest of the person seeking the disclosure (do these rights really outweigh the rights of the registrant?). These are arguably the two most relevant lawful grounds ICANN could look to rely on to publish the registrant data under the GDPR.
The ramifications of this extend far beyond European organizations and individuals. Although GDPR is a European Union (EU) regulation, it applies to controllers, processors, and other recipients that do business in the EU or market to EU citizens – even if located in countries outside the EU when handling personal data from EU persons. Due to the size of the European market and difficulty in having diverse standards for different parts of the world, the regulation has the potential to become a global standard.
With this potential future, what can be done to ensure that GDPR does not lead to a drastic shifting of power balance to the adversary in cyberspace? ICANN recently published its much anticipated interim model for GDPR compliance – a proposed solution that marks a turning point away from open-access WHOIS data, and instead favors a tiered access approach.
Under the interim model, potentially valuable personal data will not be publicly available unless the individual registrant freely and expressly consents; registrars (the GoDaddys of the world) must first provide registrants with the opportunity to opt-in to the publication of their contact details in WHOIS. Information that will continue to be publicly available under the current model, however, includes the name of the registrant (if an organization), the organization’s state/province and country, and a generic email (e.g. [email protected]) for the organization.
Under the interim model, where individual registrants are concerned, contact details could only be accessed by third-parties approved under an accreditation program administered by ICANN. The idea is that this program would not be limited to law enforcement and might also include intellectual property lawyers and security investigators, for instance. While this offers some glimmer of hope for the researchers and investigators who regularly rely on WHOIS information, data protection authorities are not sold.
Although the Article 29 Working Party welcomes ICANN’s efforts to achieve GDPR compliance, based on their April 11 letter to the ICANN board of directors, it continues to have concerns about ICANN's interim model and emphasized that ICANN should define the explicit and legitimate purposes for data collection based on its own organizational mission, which is to ensure the Internet's unique identifier system is operating in a stable manner.
With GDPR coming into effect on May 25, ICANN is asking for forbearance of enforcement to allow registrars and registries to apply the required changes to become GDPR compliant; however, no other industry has received a comparable extension. According to reports, ICANN executives are scheduled to meet with the Article 29 Working Party’s technical committee in late April to discuss further.
These regulations should serve as a reminder for investigators to reduce reliance on certain tools such as WHOIS as a source of gathering threat actor information. Since threat actors are increasingly more mindful of operational security, and many have moved towards using privacy protection services, researchers should consider a more holistic approach for identifying and tracking threat actor activity, including focusing on additional threat actor tactics, techniques and procedures (TTPs) identified during intrusion investigations. Nevertheless, WHOIS information remains a key source of valuable data for those protecting enterprises, and privacy regulations such as GDPR should be implemented thoughtfully to ensure these sources are not jeopardized.
Steven Farmer is counsel at Pillsbury Winthrop Shaw Pittman LLP and member of the firm’s Cybersecurity, Data Protection and Privacy practice. He can be reached at [email protected]