Have you noticed that you can’t get as much information as you used to from the WHOIS database? You used to be able to get personal information about the registrant, admin and technical contact of an internet domain from its domain name registration through the WHOIS lookup. No more.

Why did this happen? Since the database contained the personal information of many European residents, it was found to be non-compliant with the General Data Protection Regulation (GDPR), the EU’s sweeping regulation to protect online privacy. On May 17, 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) adopted a temporary specification requiring registries and registrars to remove all personal data from publicly available WHOIS records.

This is inconvenient for a lot of us occasionally, but Europol, the EU’s law enforcement intelligence agency, feels more strongly. It says, “This is significantly hampering the ability of investigators across the world to identify and investigate online crime.”

Slowing the Hunt

As Europol puts it in its recently released “Internet Organized Crime Threat Assessment (IOCTA) 2018,”:
“From 25 May (the day the GDPR went into effect) law enforcement agencies need to initiate formal legal process and mutual legal assistance and get a specific authorization from a prosecutor or a judge to obtain information on registrants of domain names from registries, registrars and lower-level providers. This comes with a substantial administrative burden as well as long delays which may be much longer than the period for which the data in question is being retained. By the time formal procedures are concluded, the data may therefore no longer exist.

“Alternatively, some registries and registrars have started to provide request forms to ask for registrant information. They ask requestors to provide their name, organization, email address, which specific domains they want to access. Investigators are also asked to give pertinent details (including the legal basis for the request) and to explain their legitimate interest for access.

“None of the access systems above are satisfying law enforcement needs.

“Not only do they not scale (in order to map a botnet or an online criminal infrastructure, several thousands of WHOIS queries are necessary), but they also fail to protect the confidentiality of the investigation. In addition, there is no guarantee that registry or registrar operators will not notify their clients that their domain is being investigated.”

ICANN is working to develop a better model for access to WHOIS data, but it is not expected to have it ready before mid-2019. Until then, the bad guys may get a bit ahead of the good guys.

Ah, the irony.

A Great Report

Somebody in my position as a consultant on computer security ultimately becomes a bit of a connoisseur of threat reports. This one, from Europol, has all kinds of good information. A good high-level summary of the report is available in Data Breach Today, but for lovers of the craft, I recommend a full reading, at the URL a few paragraphs above.