'Unintended Consequences': Post-GDPR Whois Access ProblemsCiting Privacy Law, Registrars Cease Sharing Whois Data, Says Kroll's Alan Brill
Who is responsible for a domain name or an IP address? Answering that question is the job of internet registrars, who require anyone who registers a top-level domain name to share their name, email address and phone number, plus administrative and technical contacts.
This "whois data" is an essential tool for investigators battling cybercrime, fraud and nation-state attacks. "As you can imagine, when you're doing an investigation - whether you're a corporate investigator or a law enforcement investigator - that's kind of useful information," says Alan Brill, senior managing director in the cyber risk practice at the consultancy Kroll.
Uunfortunately, he says, access to this whois data has been complicated by the "law of unintended consequences" since the EU General Data Protection Regulation came into effect in 2017. Since then, many registrars who sell domain names now treat all whois information as being covered the EU privacy law, and no longer share it publicly.
"Now, you get virtually no information when you go into whois for a dot-com or dot-org, and that's a problem," Brill says. "In fact, the Coalition for a Secure and Transparent Internet did a survey, and they found that over 70% of the investigations that were being carried out relating to cyber were being negatively impacted by this change and … frankly, there's not a lot being done to remedy this situation."
In this video interview with Information Security Media Group, Brill also discusses:
- The history and uses of whois, and how registrars' approach has changed since GDPR came into effect;
- The need for better coordination between the registrar community, ICANN and numerous governments;
- How organizations participating in the Coalition for Secure and Transparent Internet are attempting to once again make whois data more accessible.
Brill is a senior managing director with Kroll's cyber risk practice. As the founder of Kroll's global high-tech investigations practice, he has led engagements that range from large-scale reviews of information security and cyber incidents for multibillion-dollar corporations to criminal investigations of computer intrusions.
Mathew Schwartz: There's been a change with whois that impacts how law enforcement and corporate investigators can pursue and investigate online crime. Hi, I'm Mathew Schwartz with Information Security Media Group. And one of the wrinkles with here is, is that almost nobody really knows about it, or at least seems to be discussing it effectively. But somebody who is discussing it effectively is Alan Brill, senior managing director in Kroll's cyber risk practice. It's my pleasure to welcome Alan back to our studios. Hello, Alan.
Alan Brill: Hey, Mat, how are you?
Mathew Schwartz: I'm good. I'm excited as always, to get to discuss all things cybercrime, with you and whois has a - I feel like I should be singing the theme song from CSI when I do that - but whois has had an impact on our on our investigative abilities? What's happened? What have we lost?
Alan Brill: When the European data security law, the GDPR, went into effect. The registrars - the people that sell you the URLs - said, Well, we're going to consider that registration data to be covered by GDPR. Now GDPR, covers people, human beings, natural people, doesn't really cover corporations. But the registrars didn't make that distinction. And they basically just shut down. Whois now, if you think about it, whois has been around since the very beginning of the intranet, you could always just go in and ask whois, and put in a URL and find out who was behind it. And as you can imagine, when you're doing an investigation, whether you're a corporate investigator, or a law enforcement investigator, that's kind of useful information. And in fact, it also impacts individuals. When there's a disaster, we often see sites popping up looking for donations, and they look terrific. But are they real? Or are you funding a fraudster? And it used to be that you could do a whois and you would see whether it made sense or not - if they claimed to be a major charitable organization, but it was registered by somebody you'd never heard of. Or it was in a country that made no sense, you'd know it. But that's kind of going away. And now you get virtually no information when you go into whois for a dot-com or dot-org. And that's a problem. In fact, the Coalition for a Secure and Transparent Internet did a survey. And they found that over 70% of the investigations that were being carried out relating to cyber, were being negatively impacted by this change in whois and frankly, there's not a lot being done to remedy this situation.
Mathew Schwartz: How did we get here because the EU is certainly no slouch when it comes to online investigations. Law enforcement agencies and collaboration between those agencies, online crime: such a huge threat. Bad websites. We just saw earlier this month an attack that targeted Cloudflare and also Twilio. And there was an attack against Cisco. And in each of these attacks, attackers used look like websites designed to look like the real thing. And they were good enough to fool some of the victims. And I know that some of the organizations, including Cisco, had tools they were using, where they could ascertain if this was a known good or known bad site. So attackers would create them and attack within 45 minutes before the service and had a chance to check. So they're obviously canny to the ways that they can get around those sorts of defenses. As you say, whois used to be: punch it up, you can see who owns the site. They added privacy features after that. But with a court order, I'm sure you could get through those with the registrar and see who really did own it. But now that you've got this extra layer with the GDPR, how did we get here? This seems like a massive oversight on the government's part.
Alan Brill: You know, I think honestly, if you think about what the European legislators are working on, it's very much another example of the law of unintended consequences. That this wasn't why they wrote the law. This wasn't something that was, I think, in their minds. But it was how the registrar community decided to react to it. And that that is still in place. And in fact, ICANN, the organization that is nominally in control of all of this, hasn't really come up with the solution, and doesn't really have a workable solution that they think they can field that anytime soon. And as long as this occurs, Mat, you're absolutely right, that what we're doing is we're providing a better tool for the criminals to use in pulling off frauds. And, again, as you say, you can establish a URL, have it running and use it in a fraud in minutes. And there are many registrars that will have no problem issuing that URL, getting it running, and in fact, will do it for hundreds of URLs at a time. So we're faced as investigators - and my colleagues in law enforcement around the world - with a problem. And that is that information that used to be readily available to us isn't available. And when you consider the fact that registrars operate globally, even getting a court order that's going to actually work can be complicated. Because you may be dealing in multiple jurisdictions. There was in the last few days a prosecution of some fraudsters. And it was about eight countries that had to cooperate, to pull together all the information needed to bring the case. And while it's wonderful to see that they did it, it's crazy that they had to do it, and in some cases, just to get basic information.
Mathew Schwartz: Very common. Yes. As you say, it's wonderful that there's this level of collaboration happening between countries, but at the same time, it is in criminals' favor, often if they can operate across borders, which is going to at least slow investigators and if not, block them completely. So this is a sad story so far that we've lost his whois ability. You're not crying, though I see optimism. I see hope, Alan. What sorts of efforts are underway to help remedy this grievous change that we've had?
Alan Brill: Well, I can tell you that in the United States, there are several members of Congress who have figured out that this is a problem and are working toward motivating a solution. The NTIA, the National Telecommunications organization, is involved in this and is evolving how it may be able to help in this way. There's also an organization, the Coalition for Secure and Transparent Internet, where we have a group of organizations from the major players in cyber that you would expect, all getting together to look at this problem, and to see what it's doing, and what we can do to get a solution that both recognizes the need to protect the private information of individuals and recognizes the fact that cybercrime is real, and that it has to be investigated. And that the resources to do that are limited. And if we have to expend substantial resources, to do something that used to be a matter of a couple of minutes, that's going to affect the balance of what you can investigate, and how effectively you can investigate. And, you know, working together with organizations that you wouldn't even think of, for example, the national board that registers pharmacies, who are concerned about the proliferation of fake drugs coming in from other countries, and determining which pharmacies are real and which aren't. This is a problem and it's a problem that that needs fixing. And it's going to take a global effort to recognize that this has happened, even though it was never, I think really intended to happen. And then we need a solution that doesn't just say: "We're going to not have the information. "But provides a way of getting it and getting it in an effective, efficient way - not necessarily filing a request, waiting a certain period of time, and then having the request denied or delayed.
Mathew Schwartz: So it sounds like finding a working solution is going to require working with ICANN to some extent, also working with EU legislators, because they're going to need to perhaps create exemptions, or specify, legally speaking, that this sort of information maybe isn't covered by GDPR. Are there any solutions that you're pushing or advocating for? Or are we still at the - more of the - ideas generation phase or how we hope to tackle this?
Alan Brill: Well, the real issue is: who can tackle this? And it really is ICANN and the registrar community. And, you know, I recognize that this is an issue for them, having to sort out whether a given URL is owned by a human being or a company, that is something that is going to take work. But I think we have to get it done and we have to work not just between the EU legislators and the registrar community and ICANN but governments across the world. Because everyone's law enforcement is affected by this, and coming up with solutions that protect the privacy where it's appropriate, but don't just give a blank check to the cybercriminal community, is what's needed. And as I said, we're seeing some legislators here in the United States that are focusing on this. It's just going to take time, and it's going to take effort around the world, to bring this to people's attention, and to work on a solution that will work for the registrars, that will work for ICANN, that will work for the law enforcement community, and will work for the corporate investigative community.
Mathew Schwartz: So law enforcement, community members, investigative community members, if they want to get involved in this and helping come up with solutions and advocating for it, what do you recommend?
Alan Brill: Well take a look at the webpage of the Coalition for a Secure and Transparent Internet at secureandtransparent.org. And talk to your legislators, talk to your law enforcement people and see how they feel about it. And what they feel would be appropriate in a given country. Each country is going to have a slightly different take on this. And they also have to think about the rules within their own top level domains. Do you really want to let this happen? Or do you want to have your domain still operate a whois that works, as is the case with a number of TLDs. But all in all, I think this is a solution that is going to take working together and recognizing both the need for privacy and the need for investigations where crimes are occurring, and they're occurring every day and they're occurring quickly.
Mathew Schwartz: That's a really good point you raised and I just want to make sure that we touch on that, which is that whois does work for some sites still. Definitely I've used it as a reporter, you investigate things, you try to see if you can figure out who owns this or that domain. As an internet user, I've also registered domains and been able to set privacy settings for those. So when you're investigating, for example, and you go to a registrar in the States, and there's privacy settings enabled, are you as an investigator able to still recover that information about who owns the site? Or would that be something only law enforcement could do? Or are there any rules there or agreements?
Alan Brill: Sure, there are many, many rules and agreements. Law enforcement can work with subpoenas. We can institute legal action to try to get a court order to get the information from a registrar. But, the whole point is, is that the way we want to go, as a world? Or do we want to have a system that works for everybody, that does represent the privacy advocates, but also represents the needs of the global investigative community, because those are very real. And whether you're an individual trying to figure out if a site seeking a donation is real, or whether you're a law enforcement agent, trying to figure out if somebody is sending in a fake drug, we need to take care of that. We can't ignore it. We can't just kick the can down the road year after year after year after year. Because as with every crime, including cybercrime, there are real-world consequences. And those real-world consequences affect real people. And those people deserve protection. And we need to come up with a solution that recognizes each of the parties' needs, but ultimately gives us something that actually works.
Mathew Schwartz: Wise words. I wish you and your collaborators the best of luck when it comes to getting a whois system that works not least for investigations and battling online crime. Alan, it's always a pleasure to speak with you. Thank you.
Alan Brill: My pleasure, Mat, good to speak to you.
Mathew Schwartz: I've been speaking with Alan Brill, senior managing director in Kroll's cyber risk practice. I'm Mathew Schwartz with ISMG. Thank you for joining us.