On May 25th, 2018, the General Data Protection Regulation (GDPR) went into effect. While the regulation is intended to protect the privacy of individuals, ironically, it created a last-minute scramble that caused millions of unsolicited emails to be sent around the world notifying customers of updated privacy policies and making requests for marketing consent. The impact of GDPR is being felt not only by businesses and individuals, but also by security researchers, investigators, and those who offer security products and services that rely on WHOIS data. GDPR impacts everyone who processes EU personal data. To understand that impact, it might be useful to understand who’s involved and how we got to this point. We’ll attempt to provide an overview here, in layman’s terms, before we share our thoughts on how it will impact Cisco Umbrella. (Feel free to skip to the last section if you’re up to speed on GDPR and WHOIS.)
What is the GDPR?
In short, the GDPR is a European Union data protection regulation – the law for all 28 member states. The regulation is a result of years of negotiation and drafting among the European Parliament, Council of the European Union, and European Commission that built upon decades-old privacy principles and the 1995 EU Data Protection Directive. The result was a robust, risk-based data protection law calling for transparency, fairness, and accountability when processing EU personal data. To drive compliance, the GDPR comes with enhanced penalties for egregious misconduct — up to 20 million Euros (roughly $23.5 million at the time of writing) or 4 percent of the offender’s worldwide annual revenue, whichever is greater. As an EU law, GDPR was intended to protect EU citizens; however, it actually protects anyone within EU borders (citizen, resident, visitor, or otherwise) and applies to companies outside of the EU to the extent they are monitoring activities or offering goods and services to persons physically in the EU, irrespective of citizenship status.
IANA, ICANN, and WHOIS
Developed mainly for government, academic, and military sites, the Net’s early domain and naming management was the responsibility of a single individual. Jon Postel earned his Ph.D. in Computer Science at UCLA in 1974, and was key in the creation of IANA, the Internet Assigned Numbers Authority. More of a function than an organization, Jon lead IANA, working for USC’s Information Sciences Institute until his death in October 1998. (Side note: A fascinating history of Jon’s contributions and the standards, policies, and culture he helped to create were captured in a web archive dedicated to his honor.)
ICANN (Internet Corporation for Assigned Names and Numbers) was formed in 1998, when USC entered a contract to transition IANA’s functions to a not-for-profit corporation as part of a private-public partnership. IANA became a division of ICANN, which among other things, had responsibility for “IP address space allocation, protocol identifier assignment, generic (gTLD) and country code (ccTLD) Top-Level Domain name system management, and root server system management functions.” As part of this management, ICANN provides accreditation to registrars all around the world, accepting registration and contact information for registered domains and publishing via a protocol or service known as WHOIS.
WHOIS has been the defacto source for those seeking information for domains and their owners, including names, addresses, emails, and phone numbers for administrative and technical contacts. I had written more here, but since I’m not an attorney (and need to get this blog post approved by our attorneys), I’m scrapping my attempt at more thorough explanation. What’s important to note is that some registrars have redacted data from WHOIS, while it looks like others may keep publishing. That means the service may end up being less valuable to brand owners, lawyers, and cybersecurity researchers who utilize WHOIS to perform tasks, like identifying malicious domains or researching infringement claims, for example.
On May 17th, ICANN’s board voted to approve a “Temporary Specification.” What’s to note here is the reference to a proposed “tiered-access” system. Under that system, a great deal of personal information will be unavailable to the public, but certain vetted third-parties who have a “legitimate interest” and receive accreditation from ICANN might be granted less restricted levels of access to WHOIS data.
The #ICANN Board has voted to adopt the Temporary Specification for gTLD Registration Data. More information can be found at https://t.co/rQ7lQoAiRh and in Board Chair, Cherine Chalaby’s, latest blog post https://t.co/KoPCV7Aq1M pic.twitter.com/Vob3i1Myvw
— ICANN (@ICANN) May 18, 2018
IMPACT ON SECURITY RESEARCH & CISCO UMBRELLA
As we mentioned at the start of this post, WHOIS has been a valuable tool for security researchers looking to investigate domains. Registration records create a breadcrumb trail of sorts, and are especially useful when cyber criminals recycle or reuse any of the registration information they provide. KrebsOnSecurity recently challenged a widely-held belief that WHOIS isn’t reliable because cyber criminals don’t use their real information when they register a malicious domain. According to Krebs, “Whether or not cyber crooks do provide their real information is beside the point. ANY information they provide — and especially information that they re-use across multiple domains and cybercrime campaigns — is invaluable to both grouping cybercriminal operations and in ultimately identifying who’s responsible for these activities.” In addition, while some registrars offer WHOIS privacy services, cyber criminals aren’t always willing to pay for these services. Even when they do, a “brief window of visibility” into the details of the registration may be captured and indexed when a registrant moves to a different hosting provider. If a phishing site is only online for a few hours, WHOIS data becomes another tool in the toolbox, providing a point-in-time record that could help to identify and thwart malicious behavior.
In speaking with Cisco Security researchers and investigators, it is clear that the registration details in WHOIS records are useful, but they’re not the only breadcrumbs that cyber criminals leave behind. True, our teams utilize a WHOIS classifier used to block domains that may not be very useful in the short term should registration details cease to be published, but our incredible team of dedicated security professionals have other tools in the toolbox in the form of robust classifiers, algorithms, and statistical models we rely on to identify and block threats. Not having WHOIS data is akin to a bank robber who wears a mask. Even if we can’t see the robber’s face, we undoubtedly have other details like height, weight, a description of the getaway vehicle, witness testimony, and surveillance video. Plus, we can see if there are other recent robberies and test for fingerprints or DNA or some other identifying factors. Sure, it would have been easier had the robber not worn a mask, but we expect robbers to disguise themselves, and we have developed ways to get around that. To sum it up, while Cisco Umbrella Investigate customers may soon be unable to view complete WHOIS data in the dashboard as they have in the past, GDPR is not expected to significantly impact our overall ability to identify and block threats.
Until the dust settles on GDPR and WHOIS, the security community expects that some cyber criminals may look to take advantage of the uncertainty. If you’re not already a Cisco Umbrella customer, now might be a good time to take advantage of our free trial. You can follow us on Twitter at @opendns.
A special thanks to Artsiom Holub for contributing to this post. You can follow Artsiom at @Mesiagh