We are on the brink of the most serious cyber threat to the open and public Internet for decades. ICANN, under pressure from domain name registrars and EU data protection authorities, has proposed an “interim” plan that will hide critical information in WHOIS. Cyber security, cyber threat assessment, and anti-abuse professionals rely on this data to track down bad guys and keep the Internet as safe and secure as possible.
ICANN and the registrars have been going back and forth on ways to align privacy laws with the WHOIS system, which functions as a public “phone book” for Internet domains, recording information that includes the name, email address, street address, and phone number of the company or individual who registered the domain.
For years, there has been an accepted procedure for handling situations in which WHOIS conflicts with privacy law—nobody disputes the importance of protecting the privacy of natural persons. But now, with only sixty days to go before the General Data Protection Regulation (GDPR) adopted by the European Union (EU) takes effect, registrars, who finance ICANN, have pressured ICANN into closing the public phone book altogether, turning the open and public Internet into a Tor-like deep and darknet. Specifically, ICANN came out with an interim solution nicknamed the “Cookbook,” which suggests completely masking the contact email address, thereby completely masking who is responsible for managing or controlling a resource on the Internet. The Cookbook also suggests masking information for corporations, even though GDPR doesn’t apply to them.
The ability to register domains anonymously is a massive problem for the cyber security of the internet—cyber attackers need to establish an infrastructure to originate their cyber attack and set up servers to communicate with their malware. Often, they'll register multiple domains at the beginning of an attack campaign for use during all phases of their operations. Cyber security professionals rely on the WHOIS protocol to query for ownership information about a domain, IP address, or subnet. Without this data, it becomes significantly more difficult to rapidly take down phishing sites or compromised domains hosting malware—the vast majority of cybercriminal activities.
The Cookbook also makes it impossible to see which sites are connected or under the same management or control. For example, if someone in an organization’s marketing department registered a domain using a corporate account without going through the correct internal procedures, and that site did not have the right patches or was not scanned for vulnerabilities, the cyber security team would have no way to know about or fix the problem to protect innocent visitors.
With the registrar business being low-margin, anything that will reduce the cyber security line item on their budget is most welcome, if they can get away with it. Too many registrars would rather conceal the connectedness between domain assets than lose business or deal with reports of malicious activity. GDPR has become the perfect excuse for this because there is always ambiguity when new laws come out. If they can take advantage of this uncertainty to make the domain system more closed and private for their financial gain, they will certainly do it.
The Governmental Advisory Committee (GAC) of ICANN met in San Juan, Puerto Rico in March 2018. The GAC advised the Board to instruct ICANN to maintain the current structure of the WHOIS to the greatest extent possible. The GAC essentially pleaded to the ICANN Board to instruct ICANN that it must reconsider hiding the registrant email addresses from the free phone book, emphasizing (quite diplomatically) that it may not be proportionate given the significant adverse impact on law enforcement, cybersecurity, and rights protection it would have.
The GAC appropriately went even further by emphasizing to the ICANN Board that it must instruct ICANN not to erroneously use GDPR, which applies to people, as an excuse to shut down public access to corporate contacts in the phone book, which is not even in the remit of GDPR. As discussed, this unjustifiable over-application of GDPR even prevents companies from protecting their very own infrastructure.
If the phone book must change in some ways, notwithstanding the accepted procedures for handling WHOIS conflicts with privacy laws, then ICANN must ensure that those with a legitimate purpose still have continued access to the contact information needed to protect business and the public until the re-designed phone book is ready for use. You can’t just close the book and tell cyber security professionals, who rely on WHOIS data to keep the internet safe, to come back when it's re-designed, potentially months later. It's entirely unacceptable for ICANN to leave each registrar to decide if and how it will provide continuous access, with no means of enforcement. Continuous access must be mandatory. The phone books also have to be easy to use in today’s world, i.e., not designed to impose limits that undermine all functionality in the digital age—if you can only use the phone book manually or less than you would reasonably need, the query volume limitation is no more than a disguised blockade.
Being able to connect the dots for cyber threat intelligence analysis is actually the only way to protect innocent people. For example, it is not uncommon for people’s identities to be compromised for criminal activities. Some may think this means that WHOIS is unreliable if criminals have compromised the domain already, but DNS hijacking is not nearly as common as compromising the domain hosting account. It’s simply not fair to harm innocent people by depriving cyber security analysts of circumstantial evidence that comes from a complete historical and up-to-date context. This is necessary to assess the severity of a cyber threat accurately. Without being able to link domains together, the innocent will suffer, and criminals will get away.
To repeat, we are on the brink of the most serious cyber threat to the open and public Internet for decades. We must step up to the plate and not get complacent about this. Too much is at stake. We need a temporary policy in place at ICANN that recognizes there is no privacy without cyber security. And that means ICANN must have a way to hold registrars accountable if they abuse GDPR as an excuse to cripple WHOIS.
We at RiskIQ value our relationship with ICANN staff too, and we recognize that it takes courage to admit that both ICANN’s management and the multi-stakeholder model do not appear to be working here—or at least that there’s a risk they won’t work in time. There are politics for everyone involved, but together, we can collectively demand that ICANN step away from this reckless and short-sighted plan.
There are only a few days left. If we aren’t willing to hold ICANN accountable, then we are accountable for not standing our ground. After all, we are ICANN. So now it’s time to decide if you’re willing to stand your ground to fight for what’s right. RiskIQ has written a letter to the ICANN leadership expressing our concern. This is a developing story with recent updates published here.
We invite you to support this effort by signing a letter similar to the one submitted to ICANN. You can fill out the brief form below the letter to lend your support for this important policy issue that affects us all. The clock is ticking.