If you head over to a Whois service and search for wired.com, you’ll see that this site is registered to our publisher Conde Nast at One World Trade Center in New York City. If you have your own domain name, you’ll find your name and home address on Whois, unless you pay for a proxy service to hide that information.
New European privacy rules may change this—not just in Europe, but around the world. The European Union’s General Data Protection Regulation will take effect on May 25. The regulation forbids companies from sharing their European customers’ personal data without explicit permission, and gives customers the right to delete their data at any time. As a result, Whois entries may soon contain a lot less information.
Taking people’s personal information offline may sound like a no-brainer way to protect privacy. But law enforcement agencies, security researchers and intellectual property firms argue that putting registration under lock and key will make it harder to track down scammers, pirates, child pornographers, and other bad actors.
Figuring out how to strike the right balance between privacy and security falls to the Internet Corporation for Assigned Names and Numbers, the California-based nonprofit that manages the internet’s domain name system. ICANN, which contracts with registrars such as GoDaddy and Namecheap to sell and manage domain registration, has been working for years on a new protocol to replace Whois and possibly provide stronger privacy protections. But ICANN’s new system won’t be ready by May, so the organization has been scrambling to find a temporary solution.
Last week the organization released an updated proposal for a temporary plan to comply with GDPR by allowing companies that sell domain names to withhold names, addresses, phone numbers, and email addresses of customers not just in Europe, but anywhere in the world.
The proposal also suggests the creation of an “accreditation program” that would allow law enforcement and certain third parties, such as security researchers, to access more detailed Whois information. To gain accreditation, third parties would have to follow an as-yet-unwritten code of conduct, but the proposal is light on details and the program won’t be ready by May 25.
The idea of offering limited access to certain groups has been criticized both by privacy advocates like the Electronic Frontier Foundation, which argues that ICANN shouldn’t act as a gatekeeper deciding who should have access to Whois information, and by some outsiders who rely on access to Whois information.
“I can say without hesitation that few resources are as critical to what I do here at KrebsOnSecurity than the data available in the public WHOIS records,” security journalist Brian Krebs wrote in a [article on his site] (https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/). “WHOIS records are incredibly useful signposts for tracking cybercrime, and they frequently allow KrebsOnSecurity to break important stories about the connections between and identities behind various cybercriminal operations and the individuals/networks actively supporting or enabling those activities.”
The plan is sure to be a hot topic at this week’s ICANN meeting in Puerto Rico, but a final version of the temporary plan isn’t expected until next month.
Regardless of how the proposal shapes up, domain-name registration is already becoming harder to access. You can hide your personal information from public Whois queries by using proxy services, which are often sold by the registrars themselves. But domain registration companies often charge an extra fee for these proxy services, and less tech-savvy users might not realize if they don’t pay up, their information will be available to anyone who looks for it.
Meanwhile, domain registrar and web host GoDaddy is already curbing some access to its data. GoDaddy used to allow people to search its Whois records in bulk. “About a year ago we noticed a dramatic uptick in the number of customers complaining about robocalls,” says James Bladel, GoDaddy’s vice president of global policy. “Sometimes the calls came from information that was only used to register domains with GoDaddy, so the customers knew where the information was coming from.”
In response, the company stopped providing information like names and phone numbers through through automated Whois searches earlier this year. The information is still available through GoDaddy’s website and to certain partners, but it’s harder for spammers to harvest people’s details. Bladel says the move cut the company’s complaints by 80 percent. He emphasizes that the decision was intended to protect GoDaddy’s customers and its own reputation, and was unrelated to GDPR.
But Frederick Felman of the brand protection company MarkMonitor says even something that sounds as harmless as restricting automated access to personal information can create problems for law firms and security researchers. In many cases, people using domains for illegal purposes use proxies or enter false information. But Felman says criminals often slip up and make mistakes when registering large numbers of domains. They might forget to use a proxy for one domain. Or they might use the same fake phone number for many different domains, revealing connections between different sites. That’s the sort of thing that’s hard to see without access to Whois info in bulk.
The question is whether the benefits of putting Whois data into the public for research outweighs the privacy benefits of making it harder to access. And even if ICANN’s temporary proposal moves forward, the question will remain as the organization ponders its permanent Whois replacement.
- After 20 years where the US government controlled the internet’s address book, it handed off the responsibility to ICANN in 2016.
- Read about the General Data Protection Regulation rules approved by the European Parliament in 2016.
- Just three years ago, ICANN wanted to expand access to Whois records, and make it harder to shield personal information.