Privatization of domain name databases could heighten risk of illegal activity online

The highly anticipated General Data Protection Regulation (GDPR) comes into effect today, hailed as the biggest overhaul in privacy legislation since the birth of the internet.

Organizations that hold data, from large corporations to SMEs and charities, have been scrambling to become GDPR compliant by changing how they use, retain, and share the personal data of their consumers.

Being suddenly forced to protect user privacy has appeared to have dealt initial blows to the business models of data-driven companies like Facebook, as advocates for consumer-first standards celebrate the victory of ringing in a new era of information exchange.

But some fear the adverse threat the EU legislation may pose to a core part of the internet’s infrastructure, which is commonly used as a tool in the fight against cybercrime.

“It’s a big change from where we sit, and we’ve now been at this for 20 years,” Barry Branagh, a security researcher, told The Daily Swig.

Branagh works for The Spamhaus Project – a cybersecurity non-for-profit based in Geneva and London.

The project tracks online threats such as phishing, malware, and botnets to provide analysis, allowing law enforcement to take down the malicious actors behind them.

One of the ways both law enforcement and cybersecurity professionals do this is through the collection of web databases called WHOIS – easily accessible information about website owners such as their name, email, phone number, or even home address, which is made public unless the user chooses it not to be.

A lack of awareness of WHOIS combined with the system's default setting to expose private information results in many minor website operators inadvertently revealing their personal details.

All of this information, which includes the technical details of the domain, can be used in forensic investigations of illegal activity online.

“The intellectual crime property unit would use it to look at the people who set up websites to sell counterfeit goods,” Emily Boneham, a representative from the UK agency Action Fraud, told The Daily Swig.

“So any contact details that are provided, we try to trace it back to the person who set it up. Our intelligence bureau would be looking at a much wider range of activity, but in both situations, they’ll work with the domain register to obtain details.”

While law enforcement will continue to collaborate with registries, as Action Fraud does with Nominet, for example, the automatic privatization of these databases under GDPR could mean a loss of access for independent groups or individuals monitoring cybercrime.

“The only ones who may feel it's nothing big are the ones that feel they can get free and easy access to ‘privatized’ WHOIS records,” explained Branagh.

He also voiced concern that the registries might choose to limit all data being publicly available, rather than risk the fees associated with GDPR noncompliance.

“That is assuming that the registrars and registries will now even care to keep records that do not have public scrutiny. That is a big assumption on anyone's part.”

Warnings that there will be a surge in cybercrime following the implementation of GDPR have come from the very top levels of security clearance, with Rob Joyce, former White House cyber czar, writing on Twitter that cybercriminals would be celebrating.

“To ensure compliance with the GDPR, access to personal data will be restricted to layered/tiered access, where only users with a legitimate purpose can request access to non-public data through registrars and registry operators,” Buket Coskuner of ICANN told The Daily Swig.

ICANN stands for the Internet Corporation for Assigned Names and Numbers (ICANN) and is the non-for-profit entity that coordinates the WHOIS databases and online domain system operated by the registries and registrars.

Over the past year, ICANN has worked with policymakers, law enforcement, and other stakeholders to create a GDPR compliance model that maintains the functionality and security of the domain name system (DNS), while protecting the privacy of its users found in the remit of the EU.

“Public WHOIS entries will continue to display the registered domain name; information about the primary and secondary name server for the domain; information about the registrar, the original creation date and expiration date; and state/province and country of the registrant,” said Coskuner.

All other information, Coskuner explained, will now be masked. Those wanting to use the non-public data within the confines of law can apply for access, with registries and registrars – those in charge of selling domains – deciding whether or not to grant permission.

Users can also decide if they want to have all of their contact information made publicly available – a great tool when buying domains based on the trust that transparency provides.

GoDaddy, a popular US domain registrar, was one of the stakeholders working with ICANN to develop a GDPR compliance model for the DNS.

The company previously came under fire for blocking public access to port 43 – an automated method used to search WHOIS databases.

“port 43 was so wide open that we didn’t have any real idea of who was using the data, who was accessing it, and for what purpose,” James Bladel, vice president of policy at GoDaddy, told The Daily Swig.

“While it’s true that cybersecurity professionals may have been using that data, it was also very apparent that it was being harvested for the purpose of spam, and when you don’t know who’s accessing the data you can’t reliably control for that.”

GoDaddy confirmed that the number of spam calls and emails decreased considerably once access to port 43 was limited.

The company had applied a whitelist, allowing access to those who were granted permission, but Bladel noted that the whitelist wasn’t a silver bullet to ending all issues, as illegitimate users would still find a way to exploit it.

Bladel said he hopes that GDPR will provide new opportunity to keep WHOIS open to the public, while also protecting the security of GoDaddy clients.

He said: “I think one of the things GDPR allows us to do is move that to a web-based system where we can actually put caches on the web page, or we can monitor it a little more closely.”