WHOIS after GDPR: A quick recap for CISOs
2018 was a big year for data protection with the implementation of the General Data Protection Regulation (GDPR) last May — forcing CISOs and other professionals to rethink how the personal data of European consumers should be collected and processed.
Taking a closer a look at WHOIS in connection to that, the protocol gives access to public domain data including TLDs and ccTLDs as well as more personal information like the names and addresses of individual registrants. Though such details can be a source of insights to help intercept and track malicious domain owners, it’s no wonder that WHOIS is under fire in the eyes of GDPR legislators.
As a result, pro-WHOIS actors are expected to adapt. The Internet Corporation for Assigned Names and Numbers (ICANN), for example, has made several proposals for amendments while WHOIS information aggregators that offer resources such as WHOIS databases to various stakeholders must abide by the new rules.
As it’s still not clear where WHOIS might land if at all, let’s take a look at today’s situation reviewing the contentious areas, ICANN’s current initiatives, and where the fate of WHOIS might lie in the not so distant future.
The current situation
Here are some significant aspects that must be taken into consideration as part of making the final decision to stick or not with WHOIS:
Privacy and identification: Having to deal with international laws, accountability, and access is a challenge for WHOIS, so its promoters need to find common ground across locations without losing the relevance and precision that domain data has provided. But what should apply where? Identifying scattered parties’ liability on the web can be tricky since it’s not always clear where different visitors and users reside.
Security: On the matter of cybersecurity, WHOIS faces a big dilemma — and whether it should be kept public or not is at the core of the debate. On the one hand, when records are widely available, cybercriminals can take advantage of the published data to target phishing and spamming attacks. However, making records private would diminish the ability of cybersecurity teams who rely on them to detect malicious domains and the registrants behind them.
Accuracy: Under WHOIS, it’s easy to imagine how records end up containing inaccuracies or losing usefulness. For instance, it’s registrants themselves who fill their personal, contact, and location information during the domain registration process, and they may purposefully choose to elude or provide erroneous details — especially if they have questionable motives. Moreover, it’s possible to opt out disclosure by paying an extra fee to keep records hidden.
Actions taken to make WHOIS GDPR-compliant
ICANN has been working on different approaches to address these issues, among which:
A new accreditation model: This proposal grants users different levels of permission to acquire WHOIS information depending on their intentions. However, ICANN has not yet defined what specific practices shall be considered legitimate. Law enforcers would likely keep access to records, even if they go private, but for others like cybersecurity professionals, the future remains uncertain.
Data published when approved: With today’s Temporary Specification, WHOIS records and services would only present registrants’ unpublished data such as their contact information once authorized by administrators or technical contacts — permitting domain owners to keep data private at their wish.
Engagement strategies for education and awareness: As part of this suggested initiative, ICANN would continue to interact with registrars, registries, and governments, to raise awareness on ICANN’s activities and WHOIS procedures. For example, the organization has implemented capacity building programs to teach agencies and other interested parties skills on the policies and technicalities of WHOIS data usage.
Strengthening DNS’ security: As one of ICANN’s recent attempts to boost domain security and make WHOIS more stable and accurate, the organization decided to reinforce DNS security. This was done by changing the cryptographic key for the DNS root in October 2018, the first time since 2010, with the objective of lessening the possibility of cybercriminals altering IP addresses and, therefore, improving accuracy.
What might happen to WHOIS?
ICANN has recently renewed its adoption of the WHOIS Temporary Specification for another 90 days, effective February 19, 2019. By May 2019, the temporary policy is set to expire, a year after it was presented as a response to Europe’s enforcement of the GDPR.
If that happens, the WHOIS status so far considered temporary might become permanent and result in WHOIS services becoming fragmented — as some registrars might have no choice besides adhering to GDPR, while others would have to meet their contractual obligations with ICANN.
Now, there’s the prospect that ICANN presents a suitable solution that would differ from the Temporary Specification, but what that could mean in practice is unclear.
In the meantime, it has been established that ccTLDs will not be as affected by the change of WHOIS policies for the time being, as official registries in charge of country-specific domain names have distinct administrations depending on their country’s policies.
Based on what’s been discussed in the past months since May 2018, it is difficult to predict whether WHOIS will remain the same primary tool for access to decentralized domain information. Time will tell.