In May 2018, the European Union’s General Data Protection Regulation (GDPR) officially became law. However, dust on its implementation is far from settled, as companies continue to learn how to navigate the new legal landscape and adapt their business practices accordingly. We are also beginning to realize that the legislation might have certain unexpected consequences. Ironically, some of them may serve to undermine the security of Internet users, rather than protect them. One example is the Internet Corporation for Assigned Names and Numbers (ICANN) and its attempt to ensure compliance of its WHOIS system.
For years, cybercriminals have exploited the domain names system to launch coordinated and automated attacks on a global scale. Attackers often use domain names disguised as major brands to install malware on targeted computers and take control of legitimate servers or websites to cause mass disruption or obtain critical information. Over the past two decades, the global WHOIS directory, has been used by millions of individuals, businesses, organizations and governments, who registered domain names to support a transparent online ecosystem that protects users and customers. The resulting database was searchable, which allowed cyberdefenders to determine the owner of a domain name and IP address, and has provided viable means to obtain the information necessary to identify criminal actors, prevent harm, and protect the online ecosystem.
Since May, ICANN has struggled to come to terms with Europe’s new data protection law. Through an attempt to operate under GDPR, ICANN adopted a temporary resolution in May to ensure a common framework for handling registration information by reducing the quantity and ease of access to WHOIS data. Under the temporary specifications, registrars would collect all of the same data points about their customers yet limit how much of that information is made available through public WHOIS searches. This has not only hampered the ability to identify malicious actors online, but also resulted in divergent approaches by registrars and registries, potentially fragmenting the WHOIS system as a whole in the long run.
In late June, a discussion to develop a framework for an accreditation and access model started the draft of Framework Elements for a Unified Access Model for Continued Access to Full WHOIS Data. The Framework proposes a tiered-access model, with prospective users having to apply for accreditation from specific bodies before gaining access to full WHOIS data. This leaves many details including query types undefined with the intent that the ICANN multi-stakeholder community will generate policy to fill the gaps.
Ultimately, the framework falls short on delivering solutions that allow cybersecurity companies to address the increasing number of cyberspace threats. While we welcome the framework as a starting point for the discussion and are delighted that ICANN has turned to the multi-stakeholder community to provide feedback and help develop a sustainable approach in its consultation process, more needs to be done. The Cybersecurity Tech Accord signatories therefore call on ICANN, in the policy position published today, to expedite the development and implementation of an accreditation model that allows for broad, persistent and frictionless access to WHOIS data for legitimate purposes, such as cybersecurity.
We strongly embrace an individual’s right to privacy outlined under the GDPR, however we also recognize that there is no privacy without strong security. The WHOIS data represents an important tool that our cybersecurity defenders rely upon to help maintain a stable and secure Internet, and we believe access to such data for the purpose of cybersecurity, needs to be maintained. It is therefore critical that a workable accreditation model is developed, and developed quickly.