[BreachExchange] Deleted WHOIS Data: An Unintended Consequence of GDPR

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 18 20:16:21 EDT 2018


Unintended consequences. We see examples everywhere. From the mundane – the
New Year’s resolution exercise regime that’s not vetted first with a
medical professional and leads to injury. To the legendary – the 100
starlings introduced to the U.S. in 1890 by a Shakespeare aficionado, that
have multiplied exponentially and now wreak havoc on an ecosystem they were
not naturally part of. To the ubiquitous – the development boom in
prosperous cities and the fallout from congestion and lack of affordable

As security professionals, next week we can expect to see another example
of an unintended consequence when the General Data Protection Regulations
(GDPR) goes into effect. There are actually a few unintended consequences
from these new regulations, but one of the most concerning is the upcoming
response that domain registrars are discussing through the global body the
Internet Corporation for Assigned Names and Numbers (ICANN). As the name
suggests, ICANN is responsible for maintaining the rules for WHOIS data –
essentially, a telephone directory-like structure that contains detailed
information on who signed up for a specific Internet domain, including
their name, address, email address and telephone number. Such data is
subject to the GDPR’s privacy requirements for protection. As a result,
under current proposals, many of the businesses that register domains will
remove key elements of information from the system. In effect, on May 25
the system will “go dark” until alternative preparations are made, which
ICANN representatives expect won’t start being implemented until December

GDPR is a sensible law that exists for very good reasons and, in fact, is
an evolution of legislation currently in place. But in the quest to further
protect the personal data and privacy of citizens of EU countries, we could
be creating a riskier world. The problem is that WHOIS is routinely used by
companies and individuals to fight computer fraud and other criminal
activity on the Internet. This data often serves as a trail of breadcrumbs
that leads security researchers to someone obtaining domains to launch
global campaigns involving spam, malware and botnets. For example, the
email address listed as the technical contact for one computer domain might
be the same address used in a specific malware campaign. Or an address that
is associated with the primary business contact could be consistent across
several registrations. The directory is a useful tool to spot patterns,
coordinate efforts and gain insight into who is likely to be responsible
for malicious activity and even anticipate what their next expected
behavior may be to get ahead of potential attacks.

Without access to this critical resource, combatting criminal behavior on
the Internet becomes much more difficult. To make matters worse, during the
intervening months before an alternative solution for GDPR-compliant access
is available, attackers will be able to exploit this new-found anonymity to
their advantage. We may see an uptick in spam and, more generally, in
criminal activity. As we alter our methods for data handling, we could be
exposing the very individuals we are striving to protect, to additional

However, there are ways to compensate for a lack of ready access to WHOIS
data in the next several months. We need to remember that digital risks
come from all kinds of adversaries and places beyond the boundary. Digital
risks include cyber threats, data exposure, brand exposure, third-party
risk, VIP exposure, physical threats and infrastructure exposure. Often
these threats and risks span data sources and cannot be detected in full
context by any single source, or even by multiple sources used in
isolation. As I’ve discussed before, you need insight across the widest
range of data sources possible to mitigate digital risk and better protect
your organization.

Those combating computer crime and fraud will benefit from further
diversifying the methods for spotting criminal activity – it’s not just
WHOIS data. For example, monitoring Pastebin and social media for mentions
of your company, IP addresses and even industry can help you determine if
you’ve been targeted for an attack or may be, so you can proactively
strengthen defenses. Access to hacked remote server and remote desktop
protocol (RDP) sites will allow you to look for mentions of your IP
addresses. And monitoring the dark web can provide information on threat
actor profiles to understand their motivation and gauge credibility.

Additionally, security experts are speaking up and pointing out how removal
of this contact information makes our fight much harder. We need to
encourage registrars that make computer domains available to revisit their
proposed response. After all, it is up to them how they implement GDPR
compliance measures. It is important to find an easy way to provide access
while respecting the privacy of registrants. The unintended effect of
removing WHOIS data entirely, is not a good outcome for consumers or the

Despite our best intentions, change often brings unintended consequences.
But by monitoring across the entire Internet for risks and sharing our
perspectives, those of us responsible for fighting cybercrime can help
mitigate these outcomes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180518/e27fafd6/attachment.html>

More information about the BreachExchange mailing list