ICANN’s Temporary Specification Survey

To: Goran Marby, CEO, ICANN Cherine Chalaby, COB, ICANN Rod Rasmussen, Chairman, ICANN SSAC

From: Dave Jevans, on behalf of the Anti-Phishing Working Group Members and Board of Directors

Dear Sirs,

The AntiPhishing Working Group (APWG) is an international coalition of private industry, government and law-enforcement actors and NGO communities who focus on financial fraud and related cybercrime identification and mitigation.

The APWG membership continues to follow ICANN community’s efforts to define an interim plan to ensure that the existing public display (disclosure) of domain name registration data complies with the impending European Union General Data Protection Regulation (GDPR). To assist ICANN community in this effort, the APWG has collaborated with the Messaging, Malware, and Mobile Anti Abuse Working Group (M3AAWG) to conduct a survey of cyber investigators to understand how ICANN’s Temporary Specification for gTLD Registration Data has affected their access and usage of domain name registration information and their ability to mitigate abuse.

From our analysis of over 300 survey responses, we find that the changes to WHOIS access following ICANN’s implementation of the EU GDPR, the Temporary Specification for gTLD Registration Data[1] (“Temp Spec”, adopted in May 2018), is significantly impeding cyber applications and forensic investigations and allowing more harm to victims.

The policy has introduced delays to investigations and the reduced utility of public WHOIS data is a dire problem.  Delays favor the attacker and criminal, who can claim victims or profit over longer windows of opportunity. The loss of timely and repeatable access to complete WHOIS data is impeding investigations of all kinds, from fraud activities such as phishing and ransomware, to the distribution of fake news and subversive political influence campaigns.

From the responses of cybercrime investigators and anti-abuse service providers, we find that implementation of ICANN’s Temp Spec impedes cyber security investigations: specifically,

Cyber-investigations and mitigations are impeded because investigators are unable to access complete domain name registration data.

The mitigation or triage of cyber incidents cannot be accomplished in a timely manner.

WHOIS has become an unreliable or less meaningful source of threat intelligence.

Requests to access non-public WHOIS by legitimate investigators for legitimate purposes are routinely refused

 

Those who protect Internet resources are also making more coarse blocking or mitigation decisions in the absence of what was formerly reliable data.

The utility of WHOIS has been severely damaged.

The redaction of WHOIS data is excessive

The body of our report offers an analysis of the 327 survey responses from the combined APWG and M3AAWG surveys.

Based on these findings, we encourage the ICANN organization and community to consider these recommendations during their ongoing deliberation of WHOIS policy:

Recommendation 1: There must be an accredited access mechanism, providing tiered or gated access to qualified security actors.

Recommendation 2: ICANN should not allow redaction of the contact data of legal entities.

Recommendation 3: ICANN should adopt a contact data access request specification that will ensure consistency across all accredited registrars and gTLD registries.

Recommendation 4: ICANN should ensure that the accredited access to redacted WHOIS data does not introduce delays in collecting or processing WHOIS data, and further, that the access not be encumbered by per request authorizations.

Recommendation 5: ICANN should reconsider the current redaction policy.

Recommendation 6: We ask that ICANN publish point of contact email addresses to provide investigators with an effective means of identifying domains associated with a victim or person of interest in an investigation.

We respectfully request that ICANN organization, community and board consider the attached survey report. The report is also published at the Anti-Phishing Working Group web site, https://apwg.org.

We recognize that ICANN is likely aware of several of these issues. We also realize that ICANN organization and Board of Directors are awaiting the Expedited Policy Development Process for answers to many issues; however, we believe that the ICANN Board of Directors and ICANN organization have the ability to update the Temp Spec to fix the problems that this survey and others have identified as most pressing or egregious while the EPDP work continues.

APWG or M3AAWG members welcome the opportunity to brief the EPDP panel, any ICANN community members, or ICANN organization on the survey or its results. We would welcome this opportunity to share, anecdotally, additional field experiences.

Thank you in advance for your consideration,

 

Dave Jevans,

Chairman, Anti-Phishing Working Group (apwg.org)