Why The Public Directory Of Domain Names Is About To Vanish

Uploaded on 2018-11-14 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The WHOIS service has run into the legal landmine of European data regulation and highlighted the weakness of consensus-based internet governance in the face of the law.

Until May 2018, anyone could look up the name and contact details for the owner of a domain name. The Internet Corporation for Assigned Names and Numbers (ICANN), the US-based private company that coordinates internet domains and IP addresses, required companies that register domain names to collect and publish personal data in the so-called WHOIS service.

While far from a household name, WHOIS was widely relied upon by law enforcement and intellectual property owners to investigate and combat online crime and abuse. At the same time, privacy advocates and regulators have raised concerns (opens in new window) about the mandatory publication of every domain name holder’s name and contact details. These groups, each with their legitimate viewpoints, have been talking – sometimes shouting – past each other within ICANN for the past 20 years.

Then in May, the European General Data Protection Regulation (GDPR) arrived. The principles relevant to publication of WHOIS data were unchanged, but the GDPR’s big fines and long-arm jurisdiction captured the attention of the dominant US players within ICANN. Suddenly data protection became everyone’s problem, not just a quirky European wrinkle.

Despite warnings from several groups, the ICANN community as a whole failed to see the GDPR coming until a few months before GDPR took effect. There was a mad scramble to put in place a temporary policy that would be compliant with privacy laws.

On 25 May, the WHOIS 'went dark' –- all personal data was removed. Since then, ICANN has sued one of its own registrars in Germany for refusing to collect certain WHOIS data items. ICANN has so far lost at first instance (both on an emergency application (opens in new window) and full hearing (opens in new window)), then on appeal (opens in new window), and has failed (opens in new window) to obtain a reference to the Court of Justice of the EU. The German courts gave the status of ICANN’s consensus policies and contracts short shrift in the face of a European regulation.

In an effort to salvage a publicly accessible WHOIS service, ICANN has set up an emergency working group. The group is tasked to agree what, if any, registration data could still be collected and published on the WHOIS (company data? Non-EU data?), while a separate group is trying to agree rules to allow law enforcement and others access to non-public registration data. 

The emergency working group was due to make its interim recommendations by an ICANN meeting in Barcelona in October, but the meeting approaches, there is no sign of consensus.

Any policymaker will recognize that there are some issues on which multiple stakeholders will have incompatible, but legitimate views. In such cases, someone neutral has to step in to frame a solution which can reasonably satisfy all interests, without one side ‘winning’.

This approach is absent by design from the ICANN multi-stakeholder process, where policies are formed through consensus in a bottom-up process, and ICANN the organization assumes a passive role. The current temporary policy was only possible because the ICANN board imposed it, in an unprecedented break from tradition.

So, what will happen next? As is often the case with ICANN, the organization and its multi-stakeholder process is facing an existential crisis. Unable to solve this thorny policy issue for 20 years, ICANN’s latest group is unlikely to find consensus in the following days.

ICANN has lost in the German courts and the European Data Protection Board views with skepticism ICANN's claims that the interest of 'third parties' can justify continued collection and publication of WHOIS data.

Most public registers (like Companies House or the Land Registry in the UK) are required by statute, giving legal cover for their processing of personal data. There is no an equivalent in the ICANN world. ICANN has no ability to impose laws – it can only create 'consensus policies' which are reflected in contracts.

This may be a pragmatic way to achieve international implementation of policy, bypassing the dreary complexity of jurisdiction and international agreements. But consensus policies are informal instruments which, apparently, do not have the required status to offer protection or exemptions from the enforcement regimes of European regulations.

In recent years, intelligence agencies and law enforcement have consistently complained that the Internet is ‘going dark’. This narrative is part hyperbole and partly accurate, reflecting uptake of end-to-end encrypted applications such as WhatsApp, Signal and Telegram, adverse legal decisions in relation to the collection of bulk data, and stronger encryption available at the transport layer, such as TLS 1.3.

The WHOIS represented a small but strategic jump-off point for investigations, allowing law enforcement to look for patterns, or identify lines of enquiry. While the ICANN community struggles to find a way forward, yet another tool for law enforcement has disappeared.

Chatham House:

Emily Taylor is Associate Fellow, International Security at Royal Institute of International Affairs
 
You Might Also Read: 
 
EU Cybersecurity Act Could Impact Cross-Border Data Flows:
 
Russia Will Build A Separate Internet Directory:
 
 
« Can AI Be Used To Fight Crime?
Schoolboy Hacked Mock Florida Election Site In 10 Minutes »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

F5 Networks

F5 Networks

F5 products ensure that network applications are always secure and perform the way they should—anywhere, any time, and on any device.

EclecticIQ

EclecticIQ

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services.

DataVisor

DataVisor

DataVisor is a big data fraud detection and anti-money laundering solution.

Hitachi Systems Security

Hitachi Systems Security

Hitachi Systems Security provides customized services for monitoring and protecting the most critical and sensitive IT assets in our clients’ infrastructures 24/7.

Entel CyberSecure

Entel CyberSecure

Entel CyberSecure is a portfolio of Cybersecurity solutions and services for the protection, defense, risk management and regulatory compliance of ICT Systems for corporations and Government.

Celerium

Celerium

Celerium transforms cyber defense for both companies and industry sectors by leveraging cyber threat intelligence to defend against cyber threats and attacks.

Arkose Labs

Arkose Labs

Arkose Labs' Fraud and Abuse Platform combines Telemetry and adaptive Enforcement Challenges to break down the ROI of fraudsters and protect digital businesses.

Estio Training

Estio Training

Estio Training is a specialist digital and IT apprenticeships provider, dedicated to introducing new skills and developing existing talent in businesses across the UK.

Cyber Polygon

Cyber Polygon

Cyber Polygon is an annual online exercise which connects various global organisations to train their competencies and exchange best practices.

Nexon Asia Pacific

Nexon Asia Pacific

Nexon solutions include cloud infrastructure and services, unified communications, managed security services, business continuity, secured high-performance network and business applications.

ECS Ethiopia

ECS Ethiopia

ECS Ethiopia provides Ethiopia’s leading institutions with top cyber-security expertise and technology to enable them to overcome risks and market barriers enabling them to grow their business.

Truly Secure

Truly Secure

Truly Secure is an IT Service Provider that ensures greater efficiency and security within a company's technological environment.

Zyber 365 Group

Zyber 365 Group

Zyber 365 are providing a robust, decentralized, and cyber-secured operating system which adheres to the fundamental principles of environmental sustainability.

Brightworks Group

Brightworks Group

BrightWorks Group offer comprehensive technology operations and security operations consulting services, tailored to meet your specific needs.

Cambridge International Systems

Cambridge International Systems

For more than 25 years, Cambridge has been fighting bad actors in both the cyber and physical worlds.

XBOW

XBOW

XBOW brings AI to offensive security, augmenting the work of bug hunters and security researchers.