On May 25, the rock is set to meet the hard place — and what happens when the two clash is anyone's guess. That's the date that the EU's GDPR goes into effect — and when WHOIS, the domain information lookup service, may be forced to stop publishing data about the owners of websites that are owned or associated with persons in the European Union. As a result, law enforcement, forensic investigators, and others seeking to track down bad actors such as money launderers, hackers, and child pornographers will no longer be able to rely on what has been a default tool for such investigations.
The General Data Protection Regulation (GDPR) is the European Union's grand plan to preserve the privacy of individuals and businesses in Europe. An evolution of the Union's original 1995 Data Protection Directive adopted at a time when the Internet was in its infancy, the GDPR aims to ensure that privacy remains intact, despite new technologies.
Those technology changes include the emergence of big data, artificial intelligence, and machine learning — technologies that make it much easier to identify individuals or entities. Even if the data is anonymized, the enormous number of data points available makes identifying those individuals or entities a relatively simple matter. A prominent rule in GDPR is that data associated with EU "natural persons," or data that passes through EU-based servers, is subject to enhanced privacy rules.
What does this have to do with WHOIS? Simply, WHOIS — via its controlling organization called Internet Corporation for Assigned Names and Numbers (ICANN) — publishes identification data for registered domain owners. If ICANN wants to do business with the EU, its "natural persons," or entities that store data on servers accessed from the EU, it can no longer do so without making major changes.
The problem here is that cybersecurity and anti-cybercrime organizations have built much of their investigation models on WHOIS data. There are many other paid services, as well as customized tools based on WHOIS data, that enable organizations to track down criminals, or even shut down their operations.
For example, an email address used in two seemingly unrelated domains can give insights into hidden connections and underlying transactions. Tools using information from the WHOIS database have been used to successfully track down everything from credit card fraud to child porn rings. Based on the current interpretation of how the GDPR privacy rules are to be applied, the services that allow law enforcement and security personnel to stop spam, malware, credit card fraud, child porn, and a host of other illegal activities will no longer be readily available.
ICANN is currently trying to work out a solution that will comply with GDPR regulations yet still enable it to provide information, especially for cybersecurity purposes (as it has for at least a year). Some ideas have been proposed, but so far an acceptable solution to both sides has not been developed. A proposed timeline sees ICANN coming up with a potential GDPR-approved solution in May 2019 — a year after the rules go into effect.
Whatever the solution, one thing is clear: organizations that depend on access to WHOIS data will have major challenges that will require either extensive bureaucracy or court orders and subpoenas to track down identity information on bad actors.
If using registration information is out of bounds, companies will have to dig deeper to track down hackers and cyber thieves. One way they can do that is via comprehensive, big data–based analysis of relationships of all websites to prevent sophisticated cybercrime, such as electronic money laundering or transaction laundering. Transaction laundering occurs when an undisclosed business uses an approved merchant's payment credentials to process payments for another undisclosed store selling unknown products and services.
This advanced online fraud scheme takes advantage of legitimate payment ecosystems by funneling unknown e-commerce transactions through legitimate merchant accounts. Valid websites act as payment processing storefronts for criminal enterprises selling firearms, illicit drugs, child pornography, and other illegal goods.
For merchants worried about credit card fraud and transaction laundering, a big data analysis system has the ability to detect hidden connections across online entities. The same tactics could apply to spam attacks, ransomware attacks, or any other unwanted activity. Comprehensive and continuous monitoring of big data can lead to insights on the identification and activities of bad actors hiding behind the scenes.
The inevitable changes to WHOIS exposes the real issue for companies that have relied on its service for so many decades. Although WHOIS has become a trusted online resource, it is not and has not been a complete, dynamic force fighting the ever-evolving world of cybercrime. The usefulness of WHOIS for data was already being called into question by the increased usage of masking services and incomplete or fake registration data. If cybercriminals are leveraging advanced technology, shouldn't we be doing the same to stop them?
These affected industries are now faced with the responsibility to share intelligence and pursue comprehensive solutions that keep pace with advanced technology while remaining compliant with newly enforced regulations.
For law enforcement and those concerned with the prevention of cyber fraud, understanding the WHOIS versus GDPR issue is crucial. These organizations will need to find new tools and practices that can replace or enhance the service WHOIS once provided.
- GDPR 101: Keeping Data Safe Throughout the 'Supply Chain'
- GDPR Compliance: 5 Early Steps to Get Laggards Going
- A Data Protection Officer's Guide to GDPR 'Privacy by Design'
- DPO's Guide to the GDPR Galaxy