WHOIS: The process grinds forward, sort of; No relief for cybersecurity pros is in sight

Two years after ICANN began working on a GDPR-compliant access model for domain name registrant contact data (WHOIS), there remains a great deal of uncertainty as to when a possible solution will be implemented. Even more concerns abound about whether this solution will allow governments, organizations and users worldwide to access contact data for legitimate purposes in a timely fashion, and if it will be effective. In a recent test of the existing patchwork of registrar processes, 98% of requests for access to WHOIS data by Cybersecurity Tech Accord signatories were not acknowledged or were denied.

For over 20 years, registrar-provided WHOIS services, effectively a distributed set of domain name registration databases, have been an essential resource for cybersecurity professionals conducting investigations into online incidents. As such, they have played an essential role contributing to the security and stability of the internet. However, following the 2018 implementation of the European Union’s General Data Protection Regulation (GDPR), access to these services has been severely limited, even for legitimate purposes, leaving many to worry about the potential impact on cybersecurity.

In August 2018, the Cybersecurity Tech Accord signatories first highlighted what was going on with WHOIS. At that point, the Internet Corporation for Assigned Names and Numbers (ICANN) had just published the Temporary Specification that set out how the GDPR impacted access to WHOIS data. We expressed a number of concerns at that time, believing that ICANN’s plans were undermining an essential tool to protect internet users from online threats. We underlined the importance of swift action to ensure that precious data would not be lost. A few months later, we followed up on our initial statement with several concrete examples demonstrating how the fight against cybercrime has become more difficult since the changes were implemented.

Two years later, we are left wondering what exactly is expedited about ICANN’s “Expedited Policy Development Process.” While the world around us has changed dramatically the path forward for WHOIS remains far from settled. ICANN initially focused on data collection and limiting its public availability with the Implementation Review in May 2019. A second phase, delivering a System for Standardized Access and Disclosure (SSAD), was completed in July of this year. Unfortunately, 15 months after the first phase concluded, the implementation is far from complete, and the recommendations highlighted in the second phase fail to propose a streamlined or standardized system. This may all sound bad enough, but the reality is even worse.  Even when the two processes are agreed, the registrars will be given at least a year to put the changes into practice. All the while, essential security and investigative processes are being undermined.

The implications of this policy development failure are clear from the cries for help and action from cybersecurity professionals. Cyber investigators first began reporting that they were experiencing difficulties using WHOIS data as far back as 2018. The AntiPhishing Working Group (APWG) and Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), in their survey that year, said that requests to access non-public WHOIS by legitimate investigators for legitimate purposes were routinely refused. They highlighted that the guidance provided was unspecific, implementation was not uniform, and the processes poorly understood by investigators, domain name registrars, and domain name registries. It seemed registrars and registries were disclosing, or not disclosing, redacted WHOIS data at their individual discretion, often without reasonable justification one way or the other.

Moreover, in the first nine months of the Temporary Specification being in effect, MarkMonitor, a Cybersecurity Tech Accord signatory, submitted over 1,000 separate requests to registrars for non-public WHOIS data. Of these, 86% were either ignored for 30 days and deemed “denied” or were explicitly denied without any indication that the request was actually considered. In fact, in the first 6 months of 2020 Appdetex, another of our signatories, found that only 22% registrars who were the subject of requests responded in any way. 

It is difficult to overstate the importance of maintaining legitimate access to these resources. To better understand where things stand today, Cybersecurity Tech Accord signatories AppDetex, ESET, Facebook, Microsoft, and Panasonic took a closer look at the response rates they were receiving on their cybersecurity requests. While the sample was small, the conclusions were fairly overwhelming. In 55% of cases the requests were denied, and in 43% of cases there was no response at all – leaving a minuscule 2% of cases where any action was taken. No wonder that cybersecurity professionals, in the private sector and the law enforcement community have started wondering whether they will ever be able to rely on this tool again. Cybersecurity Tech Accord signatory CSC also shared concerns about WHOIS information being overwhelmingly denied, and based on increased cyber risks with Covid-19, CSC finds the rising number of domain and DNS threats to be a systemic problem that needs broader oversight. 

The longer this problem persists, the more inadequate WHOIS becomes as a tool to protect us all online. In fact, investigators will be increasingly forced to use alternate techniques to get the information they need. This is especially unfortunate as access to WHOIS is more important today than it has ever been before. In March, Trend Micro reported that the Internet was drowning in Covid-19 related malware and phishing scams. Since then, the number of new domain names containing terms like “covid”, “virus”, and “vaccine” has grown exponentially, with many registered simply to scam innocent consumers who have no means to distinguish between honest players and bad actors. These are precisely the types of threats that access to WHOIS would help address. In June, Microsoft won a rare victory in seizing control of key domains in a criminal infrastructure that had been using Covid-19 as a lure, ensuring that they can no longer be used to execute cyberattacks. However, in order to gain a meaningful edge on criminals online, tools like WHOIS must be able to function smoothly and expeditiously.

This is why the Cybersecurity Tech Accord and the broader technology community are not giving up on this resource and we recommend that all avenues are explored to keep WHOIS relevant for cybersecurity investigations. If the current policy process in ICANN fails, regulation will become the only option to restore access to this fundamental tool.  

See here for the key milestones in the ICANN Expedited Policy Development Process (EPDP).