On 25 May the General Data Protection Regulation (GDPR) will come into effect, and could make the job of incident response a whole lot harder for security researchers. The Internet Corporation for Assigned Names and Numbers (ICANN) could find itself on the wrong end of fines up to four percent of global revenue unless it makes changes to the WHOIS system of querying domain name registrant databases.
Currently, this type of registrant research is used as an investigative tool by security professionals when it comes to tackling everything from phishing scams to malware distribution sites. It's often something of a first stop during an incident response, especially where a legitimate site has been compromised to distribute malware without the registered owners knowing.
While most domain name registrars already offer a privacy protection service that hides registrant name, address and telephone contact from the public-facing WHOIS search, this doesn't appear to be enough to satisfy GDPR affirmative consent requirement. As a result, ICANN has proposed both redacting personal data from WHOIS and an accreditation process to verify the legitimacy of those (security professionals, law enforcement, journalists) who use it within their investigations.
Following a Governmental Advisory Committee (GAC) ICANN meeting to discuss the 'Registry and Registrar GDPR Compliance Model' in March, however, it looks like any such proposals would not become ready to roll out until December; a full six months after the GDPR start date. Which is bad news for security researchers as, without any accreditation process in place on 25 May, there will be no access to the registrant data.
ICANN has written to the data protection authorities for each of the 28 EU member states asking for 'specific guidance' regarding the interim compliance model it is proposing. ICANN has asked that they "help ICANN and the domain name registries and registrars to maintain the global WHOIS in its current form, through either clarification of the GDPR, a moratorium on enforcement or other relevant actions, until a revised WHOIS policy that balances these critical public interest perspectives may be developed and implemented." The concern being that without such guidance, and therefore a continued ambiguity when it comes to the practical application of GDPR to the global WHOIS system, it will lead to "many domain name registries and registrars choosing not to publish or collect WHOIS out of fear that they will be subject to significant fines following actions brought against them by the European DPAs."
Indeed, individual registrars are already taking their own steps to ensure they comply with GDPR. GoDaddy, for example, will no longer show any domain registrant, admin or technical contact data in the WHOIS record. It is filtering this out so as to be GDPR compliant. Others will, undoubtedly, follow.
SC Media UK reached out to ICANN President and CEO Göran Marby, who told us "we expect to receive feedback and clarification to outstanding questions on our Proposed Interim Model following Article 29's next plenary meeting in the coming weeks. We've requested help from the DPAs to maintain the global WHOIS in its current form, through either clarification of the GDPR or as a moratorium of enforcement, for example, until a revised WHOIS policy that balances the public interest perspectives may be developed and implemented. Our Proposed Interim Model includes an accreditation process by which law enforcement and security researchers would be among those with legitimate interests in having access to full 'Thick WHOIS' data. It's important to note, however, that we've asked the community to engage in the approach to this model, and we will also require feedback from the European DPAs. Until we have this clarification requested, we won't know if the model, or the accreditation process will be considered compliant with the law."
We then asked Tim Chen, CEO at DNS research specialists DomainTools, what the likely impact of all this will be on the security research community. "It is, unfortunately, accurate to assume that registrars and registries will impose a 'myriad' of different solutions in the period between 25 May and whenever they can build to the soon-to-be-published interim compliance model" Chen insisted. "Security personnel are going to be challenged to persist with investigative techniques that rely on personal data in domain name WHOIS records" Chen concluded "but by using the still-available WHOIS data combined with other DNS data sets it should still be possible to get context on attacks and attackers."
While arguing that it is "entirely unacceptable for ICANN to leave each registrar to decide if and how it will provide continuous access, with no means of enforcement" Jonathan Matkowsky, VP of Intellectual Property and Brand Security at RiskIQ, says that "continuous access must be mandatory." In conversation with SC Media UK, Matkowsky said he guaranteed that individual registrars simply do not have the resources to start taking on the additional work needed on the back-end that is being done for them using bulk access. Yet that is what would have to happen to avoid disrupting a stable and secure operation of the Internet identifiers until the accreditation system is up and running.
So, what would be the preferred preferred solution to both comply with regulation whilst enabling security researchers to do their job unimpeded? "The DPAs will not be able to come up with the technical solutions that are necessary to architect WHOIS in a way that is both compliant with GDPR and at the same time not damaging to the security and stability of the DNS" Jonathan Matkowsky, VP of Intellectual Property and Brand Security at RiskIQ insisted during a conversation with SC Media UK. "We need to do that work" Matkowsky continued "a moratorium is not needed on enforcement, but rather, a tiered-phase enforcement forbearance that has strong snap back provisions."
The phases should be subject to discussion between ICANN, the community, and the DPAs according to Matkowsky. One phase may be re-designing the public WHOIS so that it is minimally disruptive to the security and stability of the DNS and consistent with GDPR. A second may look at an accreditation model and what needs to be done by ICANN to help the community build it into the system architecture in a fair and just manner. "For each phase" Matkowsky concludes "deadlines can be set against which the DPAs can measure whether to have enforcement snap back into force..."