When the European Union’s General Data Protection Regulation went into effect in May, regulators and privacy advocates touted the new rules as a long-overdue shield to protect internet users against nefarious online activity.
But several months into its implementation, cybersecurity analysts now say overzealous application of the GDPR is in fact making the internet less safe by protecting the privacy of bad actors along with good ones.
“Has it lowered our ability to identify malicious actors and their infrastructure? Of course it has,” said Andrei Barysevich, the director of advanced collection at cybersecurity firm Recorded Future.
Barysevich believes private cybersecurity firms were blindsided when the GDPR severely curtailed the public’s access to WHOIS—a global database of domain-registration information that lists the name, email address, phone number, street address, and other identifying data for any individual who purchases a domain name. And his concerns are shared by a global group of private cybersecurity professionals, some of whom travelled to Barcelona last week to urge the Internet Corporation for Assigned Names and Numbers to grant cybersecurity researchers an exemption.
Tim Chen, the chief executive of threat-intelligence firm DomainTools, was one of those professionals. While he supports the GDPR’s overarching goal, Chen worries that ICANN’s overbroad application of the new rules are shutting security researchers out of information they need to identify and respond to botnets, spammers, and other malicious infrastructure now flourishing online.
You’re basically making this a worldwide law that applies to everybody, even though it’s only an EU law and only applies to individual persons,” said Chen. “And doing that kind of an application does weaken security of the internet.”
Chen and others hope to convince ICANN to create a system where private cybersecurity analysts are granted special dispensation to examine domain-name information in order to protect online targets from criminal enterprises—including those run by Russia and other state actors.
But after the discussions he had in Barcelona last week, Chen thinks it’s unlikely that access to WHOIS will be extended beyond law enforcement officials. “I’m pessimistic on any other access, unfortunately,” he told National Journal.
Until the GDPR went live on May 25, WHOIS was publicly available for any and all to review. And though it was far from perfect, cybersecurity researchers say the domain-registration database often provided the breadcrumbs needed to identify, track and ultimately dismantle the online infrastructure of cybercriminals operating worldwide.
John Bambenek, a vice president at cybersecurity firm ThreatSTOP and a professor at the University of Illinois, said access to WHOIS data was a crucial part of the response to Russia’s election meddling in 2016 and afterwards.
“One of the ways we were able to see what the Russians were targeting before they actually attacked was this data,” said Bambenek, explaining how automated tools were routinely employed to scan domain-registration information for suspicious names, numbers or addresses.
“We put alerts so anytime they registered a domain, we knew about it before they started launching attacks, and we could interdict it,” said Bambenek. “That’s how we caught the meddling in the French election. We saw it in Germany. We saw it in the United States. We cannot do that anymore.”
On paper, the GDPR’s enhanced online-privacy protections apply only to EU citizens. But companies around the world quickly discovered the difficulty of determining which of their users is from an EU member state. And given the hefty fines imposed for noncompliance, domain name registrars like GoDaddy soon decided it was safest to apply the strictest interpretation of GDPR to their global set of customers.
ICANN requires registrars to submit all domain-name information to WHOIS. But though registrars must follow ICANN’s policies, the organization is forbidden from forcing them to violate local laws. And in a bid to limit their legal exposure to the GDPR, the registrars successfully convinced ICANN to pull a veil of secrecy over all domain registration information submitted after May 25 of this year.
The publication of that data had been the norm for two decades prior to GDPR. And even if law enforcement ultimately maintains access, cybersecurity researchers worry about the consequences for the internet ecosystem should WHOIS remain off-limits for everyone else.
“The FBI doesn’t open computer crime cases unless somebody like me brings it to them in the first place, with enough data to say it’s worth their time,” said Bambenek.
Not everyone is convinced that the GDPR has broken a key tool for cybersecurity research. Paul Vixie, the chief executive of cybersecurity firm Farsight Security and a key architect of several domain name system protocols, said increasing efforts by both bad actors and other users to hide their true identities had largely ruined WHOIS long before GDPR came along.
“It’s true the GDPR is putting some pressure on WHOIS,” he told National Journal. “But it’s not like WHOIS was pretty healthy until May 25 of this year. WHOIS was mostly dead, and now it’s on its way to being all dead.”
Vixie also pointed out that even under the old system, domain name registrants could pay extra for a private listing.
But while Barysevich acknowledged WHOIS’s limitations, he warned against discounting its usefulness in tracking down experienced cybercriminals. “We think that nation-state attackers are not making any mistakes, but they do,” he said, explaining that even sophisticated hackers must provide real email addresses or risk being shut out of their domains.
“There is no such thing as total invisibility,” Barysevich said. “There’s always some level of exposure.”
Bambenek noted the existence of private domain names under the old system, but argued that malicious actors almost never used them because it raised a “big red flag” for the sensitive institutions targeted. Organizations like the State Department typically screen out emails, or any other proposed interaction, that emanate from private domain names.
ICANN’s decision to make WHOIS private remains under review, and cybersecurity professionals are hopeful that accommodations can be made to ensure their access to the database while still maintaining user privacy. But that would require assurances from EU regulators that they won’t punish GoDaddy or other domain-name registrars for granting analysts access. And so far, Chen says those regulators have been “remarkably hands-off” during the ongoing debate.
“The law is in their minds clear, and people need to follow it,” said Chen. “And that’s it.”
Walter van Holst, a technology lawyer and a member of the privacy group European Digital Rights, told National Journal that EU courts are unlikely to accommodate any third-party request for access to WHOIS data, even if that request stems from a legitimate interest.
“Parts of the [information security] community appear to be stuck in the first stage of grieving: denial,” van Holst said.
Perhaps the only thing that could tip the scales, some cybersecurity researchers say, is greater involvement by the U.S. government.
Unlike Brussels, Washington tends to place cybersecurity concerns above questions of consumer privacy. And during last week’s meeting in Barcelona, David Redl, the administrator of the National Telecommunications and Information Administration, warned ICANN against permanently restricting WHOIS access.
The U.S. government isn’t keen on a direct confrontation with the EU, and has so far let ICANN and the relevant stakeholders hash out the issue. But if the WHOIS database remains closed at the conclusion of the review next year, Chen believes Washington may have no choice but to step in.
“I’m not sure the U.S. is just going to sit by and watch this happen, if it goes the wrong way,” Chen said.