The EU’s General Data Protection Regulation (GDPR) is resulting in internet domain registrars hiding domain registration information to avoid fines for non-compliance.
Domain registration information is published by domain registrars in the international Registration Directory Service (RDS), formerly known as Whois, which enables anyone to find the name, address and contact details of all domain registrants.
This data is often used by cyber crime fighters to link malicious domains so that once one is discovered, others being used by the same cyber criminals can be flagged and blocked proactively to prevent further damage by single cyber crime actors or cyber crime campaigns.
Cyber criminals typically register a few hundred, even thousands, of domains for their activities, and even if fake details are used, registrants have to use a real phone number and email address, which is enough for the security community to link associated domains.
Using high-speed machine-to-machine technology and with full access to Whois data, Barlow said organisations such as IBM were able to block millions of spam messages or delay activity coming from domains associated with the individuals linked to spam messages.
While the GDPR is designed to enhance the privacy of individuals, it is having the unintended effect of encouraging domain registrars not to submit registration details to the RDS, which means the information is incomplete and of less value to cyber crime fighters.
Without access to Whois data, IBM X-Force analysts predict it might take more than 30 days to detect malicious domains by other methods, leaving organisations at the mercy of cyber criminals during that period.
As the GDPR compliance deadline of 25 May approaches, a growing number of registrars are “going dark”, according to Caleb Barlow, vice-president, threat intelligence, at IBM Security.
“The intent of the GDPR is to protect privacy, but a failure to get the approach to domain registration information right could send that whole intent sideways”
Caleb Barlow, IBM Security
“EU regulators and Icann [Internet Corporation for Assigned Names and Numbers] need to sit down and talk to find a solution to this little-understood issue,” he told Computer Weekly.
It is unacceptable, said Barlow, to proceed at “full force and speed” and allow registrars to continue to “go dark”, because that means the security community will lose the ability to coordinate bad domain blocking on a massive scale to halt cyber criminal campaigns within hours rather than days, weeks and even months.
Flouting Icann rules to comply with GDPR
“The other likely implication of this is that because people will receive more spam, they will have more opportunities to click on malicious links that will result in cyber attacks, which could easily result in a larger privacy loss than the GDPR protects,” he said.
“The intent of the GDPR is to protect privacy, but a failure to get the approach to domain registration information right could send that whole intent sideways.”
According to Barlow, the only response so far from EU regulators on the issue has been to reject proposed solutions and to ask for greater protections from Icann for the personal data of European domain registrants, while Icann is calling for exemption of registrant data from the GDPR for another year to allow time for the issue to be resolved.
Under Icann rules, domain registration information must be published, but registrars are opting to flout Icann rules, for which there is no monetary penalty, in favour of applying internationally applicable GDPR rules to avoid the significant monetary penalties for non-compliance.
“Compounding the problem is the fact the registrars are applying this universally, not just for European registrants, with the result that the GDPR is having an impact on one of the basic tenets on which the internet was built, namely full transparency about who is behind an internet domain,” said Barlow.
“A delay in applying the GDPR rules to registrant data is a good idea, because although we have known for several years that the GDPR was coming, no one anticipated that it would have the effect on registrars that it is having,” he said.
According to Barlow, there are several potential ways of solving the problem, including setting up a mechanism for access to the data only by registered, certified users, but he said a way has to be found to ensure that the “single most important tool for preventing cyber crime” does not become inaccessible, which would be “really bad” for privacy.
IBM, said Barlow, is among many groups and individuals calling for European regulators to work with the right parties to ensure security teams continue to have access to the data they need to help stop cyber crime through a discussion of possible consequences and remedies.
Barlow called on security professionals around the world to contribute to the conversation regarding the unintended consequences of interpreting the GDPR to restrict access to Whois data in cyber security research contexts.
“Preserving the resiliency, transparency and accountability of the internet is key, given the national and economic security issues that could result,” he said.