APWG Applied Research

EU GDPR Compliance Implementation Creates Adverse Consequences for Cyber Investigations

The EU General Data Protection Regulation (GDPR) is part of what is expected to be a long and global process to establish personal data protections and privacy. GDPR affects organizations worldwide: any entity that collects or processes personal data of EU citizens and residents has obligations to protect that data. Such broadly applicable legislation obliges organizations like the Internet Corporation for Assigned Names and Numbers (ICANN) to set policies to comply with the legislation.

Public safety must be treated as equally important to privacy rather than sacrificed. If privacy policies interfere with the investigators’ abilities to bring the perpetrators to justice, they create opportunities for cyber attackers to menace citizens, invade their privacy and abuse their identities. There must be a balance.

In the aftermath of GDPR’s establishment, ICANN’s policies for access to domain registration data (Whois) have created adverse consequences for investigations into terrorist activities, political influence campaigns and cybercrimes,  creating serious threats to public safety.  In this monograph, APWG explains exactly how Whois data is employed during preventative and forensic cyber investigations – and how ICANN’s interpretation of GDPR in particular also delays development of programmatic machine-driven responses that are widely used to maintain public safety and are vital to the long-term viability of the Internet as a governable domain.

Programmatic machine-driven responses are used today to combat cyberattacks at the speed of execution.  Investigators rely on programmatic responses to (i) identify, analyze and characterize the nature of cyber attacks behavior (ii) determine mitigations and (iii) identify and apprehend perpetrators. Without automation, responses to cyberattacks are delayed or confounded, leaving citizens, institutions, and economies at great risk of harm or loss.

How Investigators Use Domain Whois To Investigate and Mitigate Security Threats

Intelligence communities, law enforcement and public-safety first responders use Whois point-of-contact data (registrant name, email or postal addresses, telephone number, etc.) to identify threat actors and to analyze the threats their campaigns or criminal enterprises pose. ICANN’s attempt to comply with EU GDPR impedes investigators from reliably collecting Whois to follow the trails of these threat actors. In particular:

Whois provides the means to find related but as yet undiscovered domains. This underappreciated aspect of cyber investigations merits attention. For example, when intelligence agents and private investigators identified an inauthentic news web site domain that targeted US elections, they used Whois contact data – domain owner name, email or postal addresses, telephone number – to find and analyze other domains with similar data. Whois contact data led to the shut down all of the related web sites.

Access to Whois is critical to identifying initial persons of interest (suspects). Private cybersecurity companies typically find criminal domain names by extracting the domain names from suspicious emails that they capture in their detection networks, by monitoring network traffic seen from infected computers, or by reverse-engineering malware samples. Having found those names, the question then becomes, “Who registered those names?”

Typically, researchers, investigators or commercial security companies would use Whois point-of-contact data (registrant name, email or postal addresses, telephone number, etc.) as search arguments in to find other domains owned by the same cyber criminals. Finding other domains is critically important: taking down just one or two domains means nothing if a criminal has hundreds of others available as ready replacements. Cybersecurity analysts need to find virtually ALL of a criminal’s domain names to take down their schemes, and real time access to Whois data is critical to ensuring that action taken against criminal domain names is timely and effective.

ICANN’s changes to Whois comply with EU GDPR by unconditionally masking Whois data. Investigators can no longer quickly find all the domains associated with a campaign directly through real time Whois. Shutdowns can no longer be done quickly or pre-emptively. The edge to protect is lost, most importantly the capacity to take preventative action before harm is inflicted.

The removal of Whois data eliminates long-employed response practices, forensic schemes and cybercrime prevention protocols that actively and pre-emptively protected citizens and enterprises. In the months subsequent to GDPR deployment, first responders and law enforcement agents reported to the APWG that masking Whois interfered with their ability to investigate threats that menace enterprises, governments and nation states. APWG examines some of these threat scenarios below and describes how the removal of timely access to Whois data has impeded industry’s ability to defend its constituents and to assist public sector national law enforcement agencies.

Investigations of Terrorist Activities or Political-Influence Campaigns

Terrorist groups and state-sponsored actors radicalize and recruit members or exert political influence through spam email and web campaigns. These threat actors use fake social media or messenger app accounts to promote insurgency, influence voters, recruit members or obtain financial support. They post messages on these accounts that are carefully written to lure users to web sites that host fake news or political influence content. To thwart takedowns, they create multiple fake accounts. They also change the domain names and addresses where they host web sites frequently to evade investigators. Domain names serve the same purpose for these actors as cheap prepaid cell phones serve for drug dealers.

Political influence campaigns affect all nations. Ukraine’s head of cyber police alleged that Russian hackers attacked his country’s electoral servers and conducting phishing and spam campaigns to capture accounts and passwords of election officials. The US Director of National Intelligence reported to the President and US agencies that multiple adversaries attempted to influence the US midterm elections through political influence and messaging campaigns operated from social media sites. Terrorists have also moved inauthentic behavior campaigns to chat apps. As social media sites aggressively investigate fake news activities, ISIS and other terrorist groups have responded by exploiting free public messenger accounts to lure visitors to sites that instigate anti-US sentiment, radicalization or insurgency. (9 January 2019)

Public/Private Partnerships are needed to defeat national security threats. Global cooperation between operators of these services, cybersecurity companies, research and intelligence communities is needed to successfully shut down complex influence or recruitment campaigns. Timely shutdowns are essential: delays give these actors the opportunity to move their virtual terrorist cells and radicalizing online messaging, much as the terrorists themselves move to evade capture. The campaigns persist, and the public is unduly exposed to activities that undermine governments or put citizens at risk of harm or attack.

Governments and Private Organizations Exploitation via DNS Hijackings

A DNS hijacking is a domain name account compromise attack. Such attacks are like an email or bank login attack but here, the attacker gains control of domain name registration, which gives the attacker control of the DNS for the domain. With control of DNS, the attackers can intercept and capture a government agency’s or a private organization’s email, or they can deface web sites, disrupt services, or conduct fraud attacks. They can also impersonate web sites to steal accounts and passwords, to extract content or to deface the site – or redirect visitors to other web sites under the attacker’s control.

In January 2019, six US government agencies were targeted in DNS hijacking attacks. The US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued warnings to executive branch agencies to domains were impacted by attacks designed to take control over domain name system (DNS) infrastructures.

Such attacks continue and attackers have expanded beyond their original US targets. As recently as May 2019, investigators uncovered a DNS hijacking campaign by state sponsored actors against over forty organizations in thirteen countries.

IT administrators and third-party security and response organizations monitor domain name ownership records to detect unauthorized changes. Whois records contain configuration data that is critical for correct and intended operation of networks and web sites. Administrators query the records of their own domains frequently to verify that contact data has not been changed without authorization. ICANN’s own Security and Stability Advisory Committee (SSAC) published two advisories (SAC 040, SAC 044) recommending proactive measures to prevent DNS hijacking attacks: these depend on Whois data, but ICANN has now made it impossible for IT administrators to follow SSAC’s advice, leaving agencies and private organizations vulnerable. Without timely access to Whois contact, restoring ownership or web presence, or removing unauthorized content takes days rather than hours.

Discovery and Dismantling of criminal (botnet or spam) infrastructures

Ad-fraud crimes redirect Internet users away from legitimate advertisements to fake or malicious ads hosted by criminals on infected computers, servers and even in cloud networks to steal ad revenue. The 3ve operation is representative of ad fraud networking. 3ve uses two botnets: systems infected by one botnet loaded ads onto imposter websites that were hosted on over 1900 servers rented at commercial data centers. These fake sites impersonated over 5000 legitimate sites.  Systems infected by a second botnet generated web traffic to the fake sites – they created the illusion that users were visiting the sites from browsers – to hijack the ad revenue from the legitimate advertisers.

US Department of Justice Advisories document the extent and magnitude of losses associated with this single botnet campaign. The 27 November 2018 US CERT Advisory TA18-311A, 3ve – Major Fraud Operation, describes the indictment of eight defendants for causing millions of dollars of losses in digital ad fraud by the US Attorney’s Office, Eastern Court of New York.

The 3ve dismantling is representative of the kinds of public/private partnerships that are commonly employed and critical to investigations leading to the prosecution of cyber criminals. Law enforcement agencies often lack the time, resources and technical staff to analyze intentionally complex online criminal operations. Private parties, such as cybersecurity companies, voluntarily help by investigating online criminal activity that they’ve found, and then sharing their discoveries with law enforcement or other government agencies for take down and prosecution. Whois contact data figured prominently during the course of the investigation, apprehension and prosecution of the criminals.

Impact of Blanket Whois Redaction is Profound

The Whois policy that ICANN adopted in an attempt to comply with the EU GDPR redacts all Whois records of generic Top-level Domains. As well as blocking access to personal identifying information (PII) as envisioned by GDPR, this effectively blocks access to the non-personal identifying machine-related information that network operators and abuse investigators rely on to combat online crime and to notify victims of cyberattacks.

Attribution matters. What ICANN policy misunderstands is that all data found in Whois PoC, accurate or otherwise, are useful to abuse investigators. Even when investigators cannot derive attribution immediately from the PoC, they gain a clue, in the same way that a police officer might learn about a suspect by questioning witnesses or confidential informants to obtain a “street name”. The data may be incomplete or inaccurate, but someone composed the fraudulent entry. What motivated him to publish those data rather than something else? Where else can investigators find those data—either in Whois or social media or in other registrations (address, logins to blogs, etc.)?

Of equal importance is timeliness: how quickly can investigators use the clue to disrupt the attack? By allowing attacks to continue even minutes beyond the typical time to mitigate attacks in the pre-redaction days, masked access gives attackers a much longer window of opportunity within which to cause harm or loss.

The European Commission recognizes that an urgency exists, but ICANN’s policy process has to date floundered. The EC has “constantly urged ICANN and the community to develop a unified access model that applies to all registries and registrars and provides a stable, predictable, and workable method for accessing non-public gTLD registration data for users with a legitimate interest or other legal basis as provided for in the General Data Protection Regulation (GDPR).” The unified access model was “deferred” but for all intents and purposes ignored by the ICANN policy development efforts that resulted in the currently implemented Whois redaction policy.

The APWG also considered this matter urgent and nearly a year ago offered to ICANN a model trusted intervener system that was fully consistent with EU data protection rules including GDPR. During that year, masked Whois measurably impaired blocklisting defenses worldwide. Like the EC, APWG urges ICANN to develop and implement an access model in the shortest timeframe possible. Like the EC, APWG will contribute actively. APWG fervently hopes that this monograph conveys a sense of urgency to ICANN community.

ICANN… please act now.