Phish Lure

ICANN, GDPR, and the WHOIS: A Users Survey – Three Years Later

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) and The Anti-Phishing Working Group (APWG) have again collaborated to conduct a survey of cyber investigators and anti- abuse service providers to understand how ICANN’s application of the European Union’s General Data Protection Regulation (GDPR) has impacted on the distributed WHOIS service and anti-abuse work. In particular, we are discussing the effect of the Temporary Specification on anti-abuse actors’ access and usage of domain name registration information, which is central for various types of investigations.

At its core, the WHOIS is a protocol widely used for accessing data on registered assignees of an Internet resource, in our case domain names. WHOIS services are available via multiple channels, e.g. Web-based tools, Port 43, and more recently RDAP.

From our analysis of over 270 survey responses, we find that respondents report that changes to WHOIS access following ICANN’s implementation of the EU GDPR, the Temporary Specification for gTLD Registration Data1 (Temporary Specification, adopted in May 2018), continue2 to significantly impede cyber applications and forensic investigations and thus cause harm or loss to vicKms of phishing, malware or other cyber attacks.

Specifically, the survey responses indicate that the Temporary Specification has reduced the utility of public WHOIS data due to wide-ranging redactions, beyond what is legally required. It also introduces considerable delays, as investigators have to request access to redacted data on a case-by-case basis; oJen with unactionable results. Furthermore, with limited or no access to the data that had previously been obtained or derived from WHOIS data, some investigators struggle to identify perpetrators and put an end to criminal campaigns. The resulting delays and roadblocks are a boon to attackers and criminals, prolonging their windows of opportunity to cause harm during cybercrime activities such as phishing and ransomware distribution, or the dissemination of fake news and subversive political influence campaigns.

M3AAWG and APWG observe that there are four issues that ICANN needs to address:

  1. Access to some relevant data like contact data of legal persons needs to be readily available while protecting natural persons’ privacy.
  2. Both sporadic WHOIS users who make relatively few requests, as well as bulk users who use data-driven approaches for blocklisting should be accommodated by ICANN.
  3. ICANN should establish a functional system of registrant data access for accredited; such a system needs to be workable for cybersecurity professionals and law enforcement in terms of .me delays and administrative burden, and should include strict privacy and security controls.
  4. The survey responses indicate that the solutions currently discussed at ICANN would not meet the needs of law enforcement and cybersecurity actors in terms of timelines