Why The Public Directory Of Domain Names Is About To Vanish

Uploaded on 2018-11-14 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The WHOIS service has run into the legal landmine of European data regulation and highlighted the weakness of consensus-based internet governance in the face of the law.

Until May 2018, anyone could look up the name and contact details for the owner of a domain name. The Internet Corporation for Assigned Names and Numbers (ICANN), the US-based private company that coordinates internet domains and IP addresses, required companies that register domain names to collect and publish personal data in the so-called WHOIS service.

While far from a household name, WHOIS was widely relied upon by law enforcement and intellectual property owners to investigate and combat online crime and abuse. At the same time, privacy advocates and regulators have raised concerns (opens in new window) about the mandatory publication of every domain name holder’s name and contact details. These groups, each with their legitimate viewpoints, have been talking – sometimes shouting – past each other within ICANN for the past 20 years.

Then in May, the European General Data Protection Regulation (GDPR) arrived. The principles relevant to publication of WHOIS data were unchanged, but the GDPR’s big fines and long-arm jurisdiction captured the attention of the dominant US players within ICANN. Suddenly data protection became everyone’s problem, not just a quirky European wrinkle.

Despite warnings from several groups, the ICANN community as a whole failed to see the GDPR coming until a few months before GDPR took effect. There was a mad scramble to put in place a temporary policy that would be compliant with privacy laws.

On 25 May, the WHOIS 'went dark' –- all personal data was removed. Since then, ICANN has sued one of its own registrars in Germany for refusing to collect certain WHOIS data items. ICANN has so far lost at first instance (both on an emergency application (opens in new window) and full hearing (opens in new window)), then on appeal (opens in new window), and has failed (opens in new window) to obtain a reference to the Court of Justice of the EU. The German courts gave the status of ICANN’s consensus policies and contracts short shrift in the face of a European regulation.

In an effort to salvage a publicly accessible WHOIS service, ICANN has set up an emergency working group. The group is tasked to agree what, if any, registration data could still be collected and published on the WHOIS (company data? Non-EU data?), while a separate group is trying to agree rules to allow law enforcement and others access to non-public registration data. 

The emergency working group was due to make its interim recommendations by an ICANN meeting in Barcelona in October, but the meeting approaches, there is no sign of consensus.

Any policymaker will recognize that there are some issues on which multiple stakeholders will have incompatible, but legitimate views. In such cases, someone neutral has to step in to frame a solution which can reasonably satisfy all interests, without one side ‘winning’.

This approach is absent by design from the ICANN multi-stakeholder process, where policies are formed through consensus in a bottom-up process, and ICANN the organization assumes a passive role. The current temporary policy was only possible because the ICANN board imposed it, in an unprecedented break from tradition.

So, what will happen next? As is often the case with ICANN, the organization and its multi-stakeholder process is facing an existential crisis. Unable to solve this thorny policy issue for 20 years, ICANN’s latest group is unlikely to find consensus in the following days.

ICANN has lost in the German courts and the European Data Protection Board views with skepticism ICANN's claims that the interest of 'third parties' can justify continued collection and publication of WHOIS data.

Most public registers (like Companies House or the Land Registry in the UK) are required by statute, giving legal cover for their processing of personal data. There is no an equivalent in the ICANN world. ICANN has no ability to impose laws – it can only create 'consensus policies' which are reflected in contracts.

This may be a pragmatic way to achieve international implementation of policy, bypassing the dreary complexity of jurisdiction and international agreements. But consensus policies are informal instruments which, apparently, do not have the required status to offer protection or exemptions from the enforcement regimes of European regulations.

In recent years, intelligence agencies and law enforcement have consistently complained that the Internet is ‘going dark’. This narrative is part hyperbole and partly accurate, reflecting uptake of end-to-end encrypted applications such as WhatsApp, Signal and Telegram, adverse legal decisions in relation to the collection of bulk data, and stronger encryption available at the transport layer, such as TLS 1.3.

The WHOIS represented a small but strategic jump-off point for investigations, allowing law enforcement to look for patterns, or identify lines of enquiry. While the ICANN community struggles to find a way forward, yet another tool for law enforcement has disappeared.

Chatham House:

Emily Taylor is Associate Fellow, International Security at Royal Institute of International Affairs
 
You Might Also Read: 
 
EU Cybersecurity Act Could Impact Cross-Border Data Flows:
 
Russia Will Build A Separate Internet Directory:
 
 
« Can AI Be Used To Fight Crime?
Schoolboy Hacked Mock Florida Election Site In 10 Minutes »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

RioRey

RioRey

The DDoS mitigation specialist, from single server to Enterprise wide carrier level networks the RioRey Solution provides effective immediate and easy to manage protection.

Digital Arts

Digital Arts

Digital Arts provides internet security software and appliance products for companies and individuals.

Accertify

Accertify

Accertify is a leading provider of fraud prevention, chargeback management, and payment gateway solutions.

Cyberhaven

Cyberhaven

Cyberhaven provides rapid enablement for GDPR and CCPA compliance, streamlined data security and modern risk management.

HARMAN International

HARMAN International

HARMAN designs and engineers connected products and solutions for automakers, consumers, and enterprises worldwide.

Psybersafe

Psybersafe

Psybersafe is a hands-on, behaviour-changing training system that keeps your people and your business cyber safe.

Prelude Research

Prelude Research

Prelude offer the first autonomous platform built to attack, defend and train critical assets through continuous red-teaming.

Celebrus

Celebrus

Celebrus Fraud Data Platform, by D4t4 Solutions, works with existing fraud structures to augment functionality and turn fraud management into true fraud prevention.

AnyTech365

AnyTech365

AnyTech365 is a leading European IT Security and Support company helping end users and small businesses have a worry-free experience with all things tech.

Oregon Systems

Oregon Systems

Oregon Systems is a Regional Leader & Distributor with value added services for OT, IoT, IIoT & IT Cybersecurity products, Solutions & professional services throughout the middle-east region.

Bluerydge

Bluerydge

Bluerydge specialises in cyber security and technology, focusing on the delivery of innovative sovereign solutions through trusted, cleared and experienced professionals.

Chorus Cyber

Chorus Cyber

Chorus are a leading Managed Security Service Provider (MSSP), and member of the Microsoft Intelligent Security Association (MISA), with three Microsoft Advanced Specialisations in security.

Amtivo Ireland

Amtivo Ireland

Amtivo Ireland (formerly Certification Europe and EQA) offers a range of certifications and related services.

Efex

Efex

Efex is one of Australia’s leading Managed Technology Solutions providers. We service local companies across Australia, providing accessible, fast and straightforward IT.

CirrusHQ

CirrusHQ

CirrusHQ are a Specialist AWS Advanced Consulting Partner with a focus on Cloud Management, DevOps, Migration and Consulting Services for the private and public sectors.

Command Zero

Command Zero

Command Zero is the industry’s first autonomous and AI-assisted cyber investigations platform, built to transform security operations in complex enterprise environments.