WHOIS counting? The Cybersecurity Tech Accord response to ICANN’s most recent recommendations

The Cybersecurity Tech Accord was first launched in 2018 with the objective of establishing a platform for technology companies from around the world to work together to help improve the security of the online ecosystem. And for nearly as long, the group has noted with concern the disruptions in access to the WHOIS database that have resulted from the misapplication of the General Data Protection Regulation (GDPR), which also went into effect in 2018. When we originally raised our concerns in a blog post in August 2018, we never could have imagined that the issue would continue to drag on for this long.

In summary, the WHOIS database has historically served as the property records of the internet, detailing who owns/controls which web properties. And as with property records, this information has proven invaluable to security professionals looking to conduct investigations and identify who is responsible for actions taken by/on certain domains. Unfortunately, those responsible for keeping and maintaining the WHOIS data have too often used GDPR as an excuse to simply not share this information – even when there is a legal basis or legitimate interest. To illustrate this issue, last September we revealed what happened when a handful of our signatories submitted requests for WHOIS data – 55% of requests were summarily denied and 43% received no response at all – leaving only 2% of cases where any action was taken.

This is untenable. Issues like this threaten the security and stability of our shared cyberspace and demand urgent redress to support strong security measures and accountability online. We cannot continue to accept a new status quo where WHOIS data is either not properly maintained or not readily shared for legitimate purposes. To this end, the Cybersecurity Tech Accord signed on to a letter in November, along with 20 other organizations, calling for swift action to be taken by the European Commission to restore access to WHOIS as part of the Digital Services Act.

In the meantime, ICANN’s Expedited Policy Development Process (EPDP), which began in July 2018 to solve this problem, has been unable to address the fundamental challenges at hand.

Our full response to ICANN’s pending recommendations can be found here; however, it is worth noting that our overall guidance at this point is for the EPDP recommendations for a System for Standardized Access/Disclosure (SSAD) to be paused for the time being while relevant legislative efforts take shape that may address the problem more effectively. This includes pending legislation in Europe as well as recently passed legislation in the United States, which are further detailed in our response and which seem better positioned to expeditiously resolve the issue of access to WHOIS data.